Solved: hit details on a specific policy

walter steadman · ‎12-02-2011

Hello all,

I am new to the Firewall world and in doing some troubleshooting, I wanted to see if it was possible on an ASA 5505 to see the details of specific hits on a policy

I have an Interface called FrontEnd and I added an any any permit as the last policy on that interface and I see the traffic incrementing so I know that there is some traffic coming in from the FrontEnd interface that is passing by all the other policies on that interface and being allowed by the any any permit

Is there a way to see the details of those hits? for example the source IP destination IP and destination port?

I am sorry if this question has been asked before, I did search but I might be using the wrong criteria in my search of the forum and the web

Thanks in advance for any assistance.

I do have ASDM up and this specific policy ID on that interface is 5 if that matters

Wally

eddie.harmoush · ‎12-05-2011

Absolutely possible. What you will have to do is enable ACL logging on the "permit any any" ACL in question.

access-list 101 permit ip any any log

This will generate a log message 106100 each time traffic matches the ACL entry in question. By default, this log message is severity level 6 (informational).

To avoid having to turn on debugging at this level of detail (and potentially miss the messages you want to see due to other log messages), you can make it so this log message will generate syslog entries at a custome level. For instance:

access-list 101 permit ip any any log alerts

Now, log message 106100 will appear as a severety level 1 (alerts) message, which will make it much easier to see in the logs. To enable logging to the buffer, use the following:

logging buffered alerts

Then, when you see the hitcount go up on your ACL rule, you only need to type show log to view the details (source ip/ port, destination ip/port, protocol) of the traffic which was permitted through your ACL.

Hope this helps.

View solution in original post

eddie.harmoush · ‎12-05-2011

Absolutely possible. What you will have to do is enable ACL logging on the "permit any any" ACL in question.

access-list 101 permit ip any any log

This will generate a log message 106100 each time traffic matches the ACL entry in question. By default, this log message is severity level 6 (informational).

To avoid having to turn on debugging at this level of detail (and potentially miss the messages you want to see due to other log messages), you can make it so this log message will generate syslog entries at a custome level. For instance:

access-list 101 permit ip any any log alerts

Now, log message 106100 will appear as a severety level 1 (alerts) message, which will make it much easier to see in the logs. To enable logging to the buffer, use the following:

logging buffered alerts

Then, when you see the hitcount go up on your ACL rule, you only need to type show log to view the details (source ip/ port, destination ip/port, protocol) of the traffic which was permitted through your ACL.

Hope this helps.

varrao · ‎12-06-2011

Just to add to what Eddie said, even if you want to see all th traffic hitting the ip any any acl, then you can use the acl:

access-list 101 permit ip any any log

and then go to the asdm, right click on the rule and select "show logg", this would pop up a ASDM log viewer window, and you would see all the traffic hitting that specific acl.

This way you can keep a track of it.

The above acl would turn on logging at informational level for that ACL only.

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao

svaish · ‎12-06-2011

Hi Walter,

are looking for these features

•Keeps track of flow-create, flow-teardown, and flow-denied events, and generates appropriate NSEL data records.

•Defines and exports templates that describe the progression of a flow. Templates describe the format of the data records that are exported through NetFlow. Each event has several record formats or templates associated with it.

•Tracks configured NSEL collectors and delivers templates and data records to these configured NSEL collectors through NetFlow over UDP only.

•Sends template information periodically to NSEL collectors. Collectors receive template definitions, normally before receiving flow records.

•Filters NSEL events based on the traffic and event type through Modular Policy Framework, and then sends records to different collectors. Traffic is matched based on the order in which classes are configured. After a match is found, no other classes are checked. The supported event types are flow-create, flow-denied, flow-teardown, and all. Records can be sent to different collectors. For example, with two collectors, you can do the following:

–Log all flow-denied events that match access-list 1 to collector 1.

–Log all flow-create events to collector 1.

–Log all flow-teardown events to collector 2.

•Delays the export of flow-create events.

Then have a look at

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_nsel.html#wp1111174

Sachin

walter steadman · ‎12-07-2011

Thank you all for the tips, they have helped out quite a bit. Sachin the links in your post did not show up, but I got the meaning of what you were saying so I can do further research. Thanks all very much

Wally