Disable all ASA logging and Only Specific ACL Logging

ahmad82pkn · ‎12-02-2015

Hi, we have a bit wide open Cisco ASA in term of ACL and we want to tighten it.

but there are lots of LOGS generated by ASA and its hard to filter required information.

What i need to achieve is Disable all logging for time being and only LOG a particular Permit ACL to see what is gettign allowed due to that default mis configured rule.

For example i want no other logs in syslog except logs of below ACL to s ee what is getting permitted

access-list MYACL permit ip 192.168.100.0 255.255.255.255 10.0.0.0 255.0.0.0

how can i acheive this?

Shivapramod M · ‎12-02-2015

Hi Ahmad,

You can disable the logging in the ACL configuration with "log disable" at the end of the ACL command

For example: access-list test extended permit ip a any log disable

You can refer this link to modify the ACL parameters using the ASDM.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112925-acl-asdm-00.html

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

ahmad82pkn · ‎12-03-2015

Thank you for the reply Shiva. is there anyother way ? as i have literally thousands of ACL lines, and i dont want to type disable in front of all ACL.

i though some global command to disable all logging and only enable for particular ACL.

Shivapramod M · ‎12-03-2015

Hi Ahmad,

Have you configured the access list with the "log" keyword?

Where are you pushing these logs to?

By default if you have "permit" rules then these wont generate any log by default. Normally the ASA generates logs about connections that are denied by an ACL. But if you have the "log" keyword in the ACL then it will generate the logs.

Thanks,
Shivapramod M

ahmad82pkn · ‎12-03-2015

i have disabled all Deny/NAT and Logs by this to achieve only desired logs

no logging message 106023
no logging message 305006
no logging message 305012
no logging message 305011
no logging message 302015
no logging message 302014
no logging message 302016
no logging message 302021
no logging message 302020

i have created LOG Key word on my Desired ACL.

access-list DMZ line 297 extended permit ip 192.168.220.0 255.255.255.0 10.24.21.0 255.255.255.0 log debugging interval 300 (hitcnt=795)

but i am getting lots of other Permit Logs as well, causing difficult to filter desired logs.

whereas no other ACL has log keyword in them. Not sure how to block those permit Logs for example Below is coming in Syslog as well

764870321

Informational

%PIX-6-302013: Built outbound TCP connection 816704746 for TRG-DMZ:192.168.220.154/80 (192.168.220.154/80) to INSIDE:10.6.5.30/53190 (192.168.220.200/3498)

whereas it shouldnt come.

i also configured this line

logging trap informational

ahmad82pkn · ‎12-03-2015

Looks like i am reaching somewhere. disabled alot of other message level. and now i can see some 106001 messages. which were previously overwritten due to massive logs, i think have narrowed it down a bit. will update in a while.

no logging message 106015
no logging message 313005
no logging message 106001
no logging message 106023
no logging message 305006
no logging message 305012
no logging message 305011
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302016
no logging message 302021
no logging message 302020

ahmad82pkn · ‎12-03-2015

Is there anyway to disable all informational meessages except one that is 106100 ?