Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5193
Views
1
Helpful
3
Replies

Dechiper ASA ACL Hex ID in Syslog

scottpickett
Level 1
Level 1

‎10-30-2007 08:57 AM - edited ‎02-21-2020 01:45 AM

There is a hex id in ASA syslogs that corresponds to which ACL or ACE line generated the log entry. I know that ADSM uses it, but I want to know how to decipher it for use with other apps.

Anyone figure it out?

See examples below:

%ASA-3-106100: access-list OUTSIDE permitted tcp Outside_VLAN_240/192.168.1.1(1165) -> Inside_VLAN_248/SERVER1(80) hit-cnt 1 first hit [0xf2412831, 0xc45cf9c2]

%ASA-3-106100: access-list OUTSIDE permitted tcp Outside_VLAN_240/192.168.1.2(1503) -> Inside_VLAN_248/SERVER2(8008) hit-cnt 1 first hit [0x83e69c8, 0xee877a0]

0 Helpful
3 Replies 3

tstanik
Level 5
Level 5

‎11-05-2007 10:07 AM

In the syslog entry, there are two hashes. The first one points to the configured ACE which is the ACE that appears in the "show running-config" output. The second one points to the ACE that is expanded if the configured ACE uses object groups. It will be "0x0" if the ACE does not use object groups. But still it won't be possible to use this with some other application.

0 Helpful

scottpickett
Level 1
Level 1
In response to tstanik

‎11-05-2007 09:51 PM

What I mean by other apps is a log viewer and I would like to know which ACL or ACE put the entry in the log? There is no way to do this you think?

0 Helpful

scottpickett
Level 1
Level 1
In response to scottpickett

‎11-09-2007 09:18 AM

I found out how to do it. Here it is:

So let's say a system administrator comes to me and says “I have a new server that needs to send print jobs to a print queue and it's not working. My old server is working though.”

What I want to know is, “What is the rule that allows the old server to work?” so I can add the new server to that rule.

When I look through my syslog server for the “old server” which has the ip address of 10.10.30.101, I find this:

“%ASA-3-106100: access-list IN_ACL permitted tcp Inside_VLAN/10.10.30.101(4172) -> Outside_VLAN/192.168.69.61(9100) hit-cnt 1 first hit [0xa00e0f20, 0xb4d3bb50]”

So now I know the ACL line with the hex id “0xa00e0f20” is the line that allowed the packet through.

So I go to my firewall and run the command:

“show access-list | include 0xa00e0f20”

I get the following output:

“access-list IN_ACL line 2 extended permit tcp object-group PRINT_SERVERS object-group ALL_PRINTERS object-group PRINTING_SERVICES log errors interval 300 0xa00e0f20”

I now know that IN_ACL line 2 permitted the traffic and I know that I need to add the new server to the PRINT_SERVERS object.

Alternatively, using the second hex id, you can find the actual ACE that permitted the traffic too:

FIREWALL#show access-list | include 0xb4d3bb50

access-list IN_ACL line 2 extended permit tcp host 10.10.30.101 192.168.69.0 255.255.255.0 eq 9100 log errors interval 300 (hitcnt=17803762) 0xb4d3bb50

With this method, you can have many ACL lines and still locate the exact line that is permitting or denying traffic.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card