Solved: Re: Filter out a specific ACL traffic within ACL access-group

ants_sec · ‎02-17-2023

Hi Everyone,

So.. i have an ACL with a number of rules <30 defined on an ASA running 9.12.4x

the last ACL in this rulebase is an 'ip any any' allow and i want to remove and tighten this up.. but i first need to determine what traffic is allowed on this rule.

example:

access-list dmz_acl extended permit ip any 10.4.4.0 255.255.255.0
access-list dmz_acl extended permit tcp 10.13.133.0 255.255.255.0 host 10.4.1.151 eq 2598
access-list dmz_acl extended permit ip any 172.16.254.0 255.255.255.0
access-list dmz_acl extended permit ip 10.3.4.0 255.255.0.0 host 10.4.0.200
access-list dmz_acl extended permit ip any any log

is there a way to capture only logs hitting the last acl with 'ip any any' rule to export and analyze?

the only option i can think perhaps is to add a 'log disable' on all preceding ACLs except for 'ip any any' and run it for a few days and capture this on our log server..

any other ideas/methods?

thanks in adv

MHM Cisco World · ‎02-17-2023

best way I think.
using Log only for permit ip any any
then monitor for few days
after that
change it with permit ip x.x.x.x y.y.y.y

View solution in original post

MHM Cisco World · ‎02-17-2023

best way I think.
using Log only for permit ip any any
then monitor for few days
after that
change it with permit ip x.x.x.x y.y.y.y

Rob Ingram · ‎02-17-2023

@ants_sec with the keyword log appended to the ACE (which is only your last rule), this generates the syslog message 106100. So you could send those specific logs to a syslog server.

Example:

logging host INSIDE 192.168.10.15 tcp/1514
logging list SEND-TO-SYSLOG message 106100
logging trap SEND-TO-SYSLOG

ants_sec · ‎02-17-2023

will do the log only for the ip any any option for a few days

thanks for the prompt response. appreciated.

ants_sec · ‎02-23-2023

Hi All,

thought i'd post this as i found a much easier solution to my issue...

each acl/ace has a unique HEX identifier.. so the simple method is to search the logs based on this identifier. in my case all logs are sent to a syslog server, and i can happily search based on the ACL name and the hex id of the rule.. and that way get all the logs passing over a specific rule within the rulebase..

example:

sho access-list wan_acl

access-list wan_acl line 33 extended permit ..................range 3200 3299 (hitcnt=1) 0xb866edc2
access-list wan_acl line 33 extended permit tcp .................. range 3200 3299 (hitcnt=1) 0x84568bcc
access-list wan_acl line 33 extended permit tcp 1.......................... range 3200 3299 (hitcnt=0) 0x50ccb828
access-list wan_acl line 34 extended permit ip any any log informational interval 300 (hitcnt=21858) 0x6ce7c2a3

simply create a search that includes the hex id '0x6ce7c2a3' and all it will show all traffic logged against that specific ace within the acl

cheers