12-02-2011 11:15 PM - edited 03-11-2019 02:58 PM
Hello all,
I am new to the Firewall world and in doing some troubleshooting, I wanted to see if it was possible on an ASA 5505 to see the details of specific hits on a policy
I have an Interface called FrontEnd and I added an any any permit as the last policy on that interface and I see the traffic incrementing so I know that there is some traffic coming in from the FrontEnd interface that is passing by all the other policies on that interface and being allowed by the any any permit
Is there a way to see the details of those hits? for example the source IP destination IP and destination port?
I am sorry if this question has been asked before, I did search but I might be using the wrong criteria in my search of the forum and the web
Thanks in advance for any assistance.
I do have ASDM up and this specific policy ID on that interface is 5 if that matters
Wally
Solved! Go to Solution.
12-05-2011 01:50 PM
Absolutely possible. What you will have to do is enable ACL logging on the "permit any any" ACL in question.
access-list 101 permit ip any any log
This will generate a log message 106100 each time traffic matches the ACL entry in question. By default, this log message is severity level 6 (informational).
To avoid having to turn on debugging at this level of detail (and potentially miss the messages you want to see due to other log messages), you can make it so this log message will generate syslog entries at a custome level. For instance:
access-list 101 permit ip any any log alerts
Now, log message 106100 will appear as a severety level 1 (alerts) message, which will make it much easier to see in the logs. To enable logging to the buffer, use the following:
logging buffered alerts
Then, when you see the hitcount go up on your ACL rule, you only need to type show log to view the details (source ip/ port, destination ip/port, protocol) of the traffic which was permitted through your ACL.
Hope this helps.
12-05-2011 01:50 PM
Absolutely possible. What you will have to do is enable ACL logging on the "permit any any" ACL in question.
access-list 101 permit ip any any log
This will generate a log message 106100 each time traffic matches the ACL entry in question. By default, this log message is severity level 6 (informational).
To avoid having to turn on debugging at this level of detail (and potentially miss the messages you want to see due to other log messages), you can make it so this log message will generate syslog entries at a custome level. For instance:
access-list 101 permit ip any any log alerts
Now, log message 106100 will appear as a severety level 1 (alerts) message, which will make it much easier to see in the logs. To enable logging to the buffer, use the following:
logging buffered alerts
Then, when you see the hitcount go up on your ACL rule, you only need to type show log to view the details (source ip/ port, destination ip/port, protocol) of the traffic which was permitted through your ACL.
Hope this helps.
12-06-2011 02:36 AM
Just to add to what Eddie said, even if you want to see all th traffic hitting the ip any any acl, then you can use the acl:
access-list 101 permit ip any any log
and then go to the asdm, right click on the rule and select "show logg", this would pop up a ASDM log viewer window, and you would see all the traffic hitting that specific acl.
This way you can keep a track of it.
The above acl would turn on logging at informational level for that ACL only.
Hope that helps.
Thanks,
Varun
12-06-2011 04:07 AM
Hi Walter,
are looking for these features
•Keeps track of flow-create, flow-teardown, and flow-denied events, and generates appropriate NSEL data records.
•Defines and exports templates that describe the progression of a flow. Templates describe the format of the data records that are exported through NetFlow. Each event has several record formats or templates associated with it.
•Tracks configured NSEL collectors and delivers templates and data records to these configured NSEL collectors through NetFlow over UDP only.
•Sends template information periodically to NSEL collectors. Collectors receive template definitions, normally before receiving flow records.
•Filters NSEL events based on the traffic and event type through Modular Policy Framework, and then sends records to different collectors. Traffic is matched based on the order in which classes are configured. After a match is found, no other classes are checked. The supported event types are flow-create, flow-denied, flow-teardown, and all. Records can be sent to different collectors. For example, with two collectors, you can do the following:
–Log all flow-denied events that match access-list 1 to collector 1.
–Log all flow-create events to collector 1.
–Log all flow-teardown events to collector 2.
•Delays the export of flow-create events.
Then have a look at
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_nsel.html#wp1111174
Sachin
12-07-2011 06:05 AM
Thank you all for the tips, they have helped out quite a bit. Sachin the links in your post did not show up, but I got the meaning of what you were saying so I can do further research. Thanks all very much
Wally
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide