Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2223
Views
5
Helpful
1
Replies

Cisco ASA Logging

Go to solution
Raj Sh
Level 1
Level 1

‎03-25-2021 12:13 PM

HI,

 

i have ASA 5555 with below configuration for logging.

logging enable
logging timestamp
logging buffered informational
logging trap informational
logging history errors
logging asdm informational
logging facility 23
logging device-id hostname
logging host inside x.x.x.x

 

The is no log configured at the end of ACL

For ex : Access-list ACL1 extended permit tcp object-group inside object-group DMZ  eq domain

 

However i still see hitcounts on it. 

My understanding was ASA will not show hitcounts if "log" is not configured at end of ACL.

Message id 106023 generated which doesnt have hitcount.

 

If log is configured at end of each ACL, 

Msg id 106100 would be generated which gives hitcount information.
 
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP

‎03-25-2021 01:49 PM

Cisco asa as you know main function is to act as a firewall. either you set the command log or not it will show you show much hitcount come to the acl.

however the log command can be come in play in different scenarios example Only ACEs in the access list generate logging messages; the implicit deny at the end of the access list does not generate a message. If you want all denied traffic to generate messages, add the implicit ACE manually to the end of the access list, as shown in the following example

(config) access-list TEST deny ip any any log

 

If you enter the log option without any arguments, you enable syslog message 106100 at the default level (6) and for the default interval (300 seconds). See the following options:

  • level —A severity level between 0 and 7. The default is 6.
  • interval secs —The time interval in seconds between syslog messages, from 1 to 600. The default is 300. This value is also used as the timeout value for deleting an inactive flow.
  • disable —Disables all access list logging.
  • default —Enables logging to message 106023. This setting is the same as having no log option.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/acl_logging.html

please do not forget to rate.

View solution in original post

1 Reply 1

Go to solution
Sheraz.Salim
VIP
VIP

‎03-25-2021 01:49 PM

Cisco asa as you know main function is to act as a firewall. either you set the command log or not it will show you show much hitcount come to the acl.

however the log command can be come in play in different scenarios example Only ACEs in the access list generate logging messages; the implicit deny at the end of the access list does not generate a message. If you want all denied traffic to generate messages, add the implicit ACE manually to the end of the access list, as shown in the following example

(config) access-list TEST deny ip any any log

 

If you enter the log option without any arguments, you enable syslog message 106100 at the default level (6) and for the default interval (300 seconds). See the following options:

  • level —A severity level between 0 and 7. The default is 6.
  • interval secs —The time interval in seconds between syslog messages, from 1 to 600. The default is 300. This value is also used as the timeout value for deleting an inactive flow.
  • disable —Disables all access list logging.
  • default —Enables logging to message 106023. This setting is the same as having no log option.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/acl_logging.html

please do not forget to rate.
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card