cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1865
Views
5
Helpful
14
Replies

Cisco ASA Syslog Message 302013 source IP

meirtz4
Level 1
Level 1

Hi, in the log messages for 302013, on outbound, is it possible to determine the source IP. Meaning who is the IP that initiates the connection? Or is the inbound/outbound indication + IP location in the message only indicating of the security levels?

Some examples:
Jul 6 09:38:51 44.254.0.8 %ASA-6-302013: Built outbound TCP connection 1465712 for dev:10.2.4.86/25 (10.2.4.86/25) to inside:10.128.85.25/37281 (10.128.85.25/37281)

%ASA-6-302013: Built outbound TCP connection 1139888864 for Outside:103.33.237.104/443 (103.33.237.104/443) to Inside:10.12.122.84/17960 (192.44.45.104/17880)

Thanks.

1 Accepted Solution

Accepted Solutions

I make small lab, config two ASA FW with allow TCP to OUT of each, 
I run tcp from the R1 toward R2 

I get notification message, it not so helpful but using info in log message  and using 
show conn we can get more info. about this traffic, 
TCP have flag we can use it to see if traffic Inbound Outbound direction and also FIN SYN and ACK of traffic. 

in my lab since I tcp from R1 to R2 I can see flag UIO <<- and by using another table I can see that this traffic is  Outbound Date, meaning that the traffic initiate from Inside of ASA FW. 


Screenshot (241).png

 

jhkjhkhjkhjklhllh.png

View solution in original post

14 Replies 14

You could use a WHOIS (use google to and select a WHOIS site you would like to use) service and lookup the IP address 103.33.237.104.  Just did a lookup on it and it is an IP located in China.

--
Please remember to select a correct answer and rate helpful posts

Thank you. Actually what I am trying to achieve, if possible, a definition of which IP will be the source and which is the destination. Meaning, who initiated the connection. From reading the docs, I'm not sure if it's possible. For example in the log with the IP 103.33.237.104, is it the IP who initiated the connection? Or the other?

Thanks.

Usually the  log that states "Built" defines the initiating IP.  So in your first example, the initiating IP would be 10.2.4.86.  But the second example doesn't make sense as it is stating Built outbound TCP connection from the Outside interface.  Is this a copy paste error or an actual log message?

Jul 6 09:38:51 44.254.0.8 %ASA-6-302013: Built outbound TCP connection 1465712 for dev:10.2.4.86/25 (10.2.4.86/25) to inside:10.128.85.25/37281 (10.128.85.25/37281)

%ASA-6-302013: Built outbound TCP connection 1139888864 for Outside:103.33.237.104/443 (103.33.237.104/443) to Inside:10.12.122.84/17960 (192.44.45.104/17880)

Had the second log message stated Built inbound TCP connection ... for Outside.... then this would mean that the IP 103.33.237.104 is initiating a connection inbound with source port tcp/443.

A better way to validate this is to setup a capture and then go through the captured data in Wireshark

--
Please remember to select a correct answer and rate helpful posts

Marvin Rhoads
Hall of Fame
Hall of Fame

in addition to what's already been shared, consider the port numbers. TCP connections (and UDP flows) are generally initiated from an ephemeral port (>1024) to a well-known port. For instance, tcp/25 would be smtp (mail server) and tcp/443 is https (web server). Clients generally initiate connections to servers.

meirtz4
Level 1
Level 1

@Marvin Rhoads @Marius Gunnerud Thank you for your response.

In the first example, unlike what you assumed, the initiating IP is 10.128.85.25. Please refer to this thread - ASA SYSLOG - How is direction determined in 302013 & 302015 - Cisco Community

The second example, which provided by me, is an actual message. I need to decide how to parse it, who is the source and who is the destination. And I agree it doesn't make sense, also I've noticed to the ports as you said.

Do you think maybe the source and destination IP's has no correlation with outbound/inbound and order?

As of yet I have not been able to find any documentation that will support what I am about to write, but this is what I believe why the log message is being displayed in reverse.

When a connection is established from the inside to the outside on HTTPS that connection the return traffic needs to be allowed and I believe that it is this connection / opening that we see in the log and therefore why it is being showed with IPs in the reverse order.

--
Please remember to select a correct answer and rate helpful posts

Thanks, I was also looking for official documentation but can't seem to find any. What ever this is the reason or not, the important thing for me is to understand - will the later IP will always be the source (on outbound), or this may change between different interfaces?

Thanks.

The IP itself and the interface associated with the IP will of course change, but the latter will always represent the source.

--
Please remember to select a correct answer and rate helpful posts

Here is a document describing the logs a little more.

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116149-qanda-ASA-00.html

 

--
Please remember to select a correct answer and rate helpful posts

I will check some point with you today.

I make small lab, config two ASA FW with allow TCP to OUT of each, 
I run tcp from the R1 toward R2 

I get notification message, it not so helpful but using info in log message  and using 
show conn we can get more info. about this traffic, 
TCP have flag we can use it to see if traffic Inbound Outbound direction and also FIN SYN and ACK of traffic. 

in my lab since I tcp from R1 to R2 I can see flag UIO <<- and by using another table I can see that this traffic is  Outbound Date, meaning that the traffic initiate from Inside of ASA FW. 


Screenshot (241).png

 

jhkjhkhjkhjklhllh.png

Thanks @MHM Cisco World ! Just to be sure:
inside == R1 == 10.0.0.10 ?

Yes you are correct R1 is 10.0.0.10 and R2 is 20.0.0.20

Review Cisco Networking for a $25 gift card