04-08-2014 12:16 AM - edited 03-11-2019 09:02 PM
I have got two Cisco ASA 5520 running with IOS version 8.4.
I am trying to get all the packet events for a given "specific source" IP address > send to a syslog server. Syslog server has been configured and working fine for other ASA events.
I have created new ACL rule to log all events for that specific source IP address to syslog server - but noting showing on syslog logs because (??) of packets already permitted by other ACL rule sitting on the top.
I use the following ACL rule -
#access-list aclName extended permit ip host x.x.x.x any log debugging
ACL hitcount is zero but I am getting that "specific source IP" at ASDM live traffic monitoring.
Could anyone please shed some light on this?
04-09-2014 08:39 AM
You might need to re-order your access-list rules to put the "permit ... log" one much earlier. Remember that ASA's do first match; the first permit or deny rule which matches a packet controls its fate, regardless of any subsequent rules.
-- Jim Leinweber, WI State Lab of Hygiene
04-09-2014 05:33 PM
Hi Jim, thanks for your reply.
Is there any command/utility like the "shun" command that can work on "live packets" which are been already permitted first by other ACL rule?
Re-ordering acl would be difficult because its a live circuit.
Thanks again - Jami.
04-10-2014 01:43 AM
Reording the ACL will not affect other traffic. depending on if you use the ASDM or CLI: In the ASDM select the rule you want to place higher and then use the arrow buttons toward the top left of the page to move it up, then click apply.
in CLI, remove the ACL entry and then re enter it but this time issue the sequence number where you want to place it.
access-list aclName line 5 extended permit ip host x.x.x.x any log debugging
the above ACL will "squeeze" the ACL in to position 5 in the ACL order. All lower ACLs will be reordered automatically.
--
Please remember to rate and select a correct answer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide