Solved: Firewall Rule Debugging

web_hosting · ‎12-09-2014

Hello. I am new to Cisco firewall rules and I was hoping you could help me. I have done some research, but I am not 100% on a few things.

Background: I have a few broad rules that are getting hit counts, but I am not expecting the hits, so I am trying to determine the traffic. In an ideal world, I would be able to turn on debugging/logging of just the specific rules in question to determine the traffic. I have some questions that revolve around this solution.

Questions:

1) I need to know source and destination IP and port. Is that a logging level of 4 or 6 that will achieve that?

2) All of our rules have "log" appended to the end. Does that mean that the global logging level you set, applies to all rules with "log" appended?

3) I did not fully understand the content in regards to creating classes or message lists. Is there a way to set a different logging rule for a specific rule?

4) If you one cannot apply to a specific rule, is one possible solution, putting the rule in its own ACL and putting this ACL above the rest? If I understand correctly, you can add unique debugging/logging to a specific ACL?

Thank you,

Dallas

Marius Gunnerud · ‎12-09-2014

1) I need to know source and destination IP and port. Is that a logging level of 4 or 6 that will achieve that?

Logging level 6 is what you want.

2) All of our rules have "log" appended to the end. Does that mean that the global logging level you set, applies to all rules with "log" appended?

Correct, when you set the logging level, this level applies to everything you are logging.

3) I did not fully understand the content in regards to creating classes or message lists. Is there a way to set a different logging rule for a specific rule?

Basically, the ACL class and message-lists are used for logging specified syslog messages in a different syslog level. For example, you can use this to log informational level messages that you specify as critical messages.

4) If you one cannot apply to a specific rule, is one possible solution, putting the rule in its own ACL and putting this ACL above the rest? If I understand correctly, you can add unique debugging/logging to a specific ACL?

You can not "debug" an ACL, but you can create a packet capture between two interfaces which references an ACL. Then you can export that capture file and analyze it in Wireshark.

https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎12-09-2014

1) I need to know source and destination IP and port. Is that a logging level of 4 or 6 that will achieve that?

Logging level 6 is what you want.

2) All of our rules have "log" appended to the end. Does that mean that the global logging level you set, applies to all rules with "log" appended?

Correct, when you set the logging level, this level applies to everything you are logging.

3) I did not fully understand the content in regards to creating classes or message lists. Is there a way to set a different logging rule for a specific rule?

Basically, the ACL class and message-lists are used for logging specified syslog messages in a different syslog level. For example, you can use this to log informational level messages that you specify as critical messages.

4) If you one cannot apply to a specific rule, is one possible solution, putting the rule in its own ACL and putting this ACL above the rest? If I understand correctly, you can add unique debugging/logging to a specific ACL?

You can not "debug" an ACL, but you can create a packet capture between two interfaces which references an ACL. Then you can export that capture file and analyze it in Wireshark.

https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

web_hosting · ‎12-10-2014

Thank you for your response!