07-18-2011 07:03 AM - edited 03-11-2019 02:00 PM
Hi All,
I need some assistance trying to see what the actual hits are on a specific ruleset on a ASA firewall.
We created a rule required by the server engineers for specific services and ports required. However they were still not able to access or login even though we added the specified ports.
We then created a rule below that matching the first rule but allowed ip/any and the service now works and we see lots of hits on the second ip/any rule.
How can we actually see what the hits are, like source and destination IP's, ports etc?
We do have a syslog server in the environment but this logs actual ASA logs, how do we see the hits on the actual rule?
Thanks
ZS
Solved! Go to Solution.
07-18-2011 07:52 AM
No no, in the asdm you needed to select the debugging level, by default in cli, if you dont mention the logging level, it takes informational.
You can just give the command that i gave you in the CLI, that woudl set it to informational, or else use the logging level as 7, whihc is for debugging.
do a '?' after log option, it would make it clear.
-Varun
07-18-2011 07:06 AM
Hi Zayed,
You can use the log option after the ACL:
something like this,
access-list test permit ip any any log interval 1
this will give you all the traffic hitting this acl, in the syslogs.
Thanks,
Varun
07-18-2011 07:09 AM
Thanks Varun.
I am using the ASDM, there is a logging option in the ASDM, however which option do I select as there are a few choices.
Secondly when I enable logging will this log to syslog server the events of a rule and what is hitting the rule?
07-18-2011 07:13 AM
Hi Zubair,
What you can do is, go to te access-rule in the ASDM, right click on the ACL taht you have created, go to "show logg", the ASDM real-time log viewer window would pop up, there you can see what all traffic, for what ports is hitting the ACL. Then you can configure the ACL based on the ports on which teh request is arriving.
Hope this helps.
Varun
07-18-2011 07:18 AM
Varun.
I have tried that as well, that shows the actual ASA log not the rule. I apply a filter to the log and dont see any of the server IP's etc however I see my system IP that I use to remote to the ASA etc.
06-15-2023 10:44 AM
Thanks for Info, when I right click, I get a hex address for the rule 0x1f90a96 and nothing shows up in Real-Time Log Viewer. The rule I chose is in my top 10. What am I missing to see the logs?
07-18-2011 07:09 AM
You will only see the hitcounts on the ACL if the traffic matches perfectly with the ACL.
The reason why allowed ip/any works is because the traffic might require multiple services and ports configured, and possibly there might be more ports required to be opened then what you have created initially.
To see what is actually passing through between a specific source and destination IP, I would suggest that you run a packet capture on the specific interface, create ACL to only match the specific souce and destination IP Address, and send the traffic through. The packet capture will show you everything that pass through the ASA between the specified souce and destination IP address, and you will be able to tell what other ports you might be missing.
Hope this helps.
07-18-2011 07:12 AM
Jennifer,
My thoughts exactly, we are not receiving complete information as to what ports and services are required. We tried packet capture as well. We managed to get it working but my question still remains as to how I see what the actual hits are on a rule, any rule for that matter.
Thanks
Z
07-18-2011 07:16 AM
As Varun advised earlier, you can add the "log" keywords on the ACL, and that will send a syslog message.
However, it will only log what you have configured on the ACL.
For example:
If your ACL says: permit tcp host x.x.x.x host y.y.y.y eq 3500
It will only give you hitcount and logs if the traffic that you are sending is exactly from host x.x.x.x to host y.y.y.y on TCP/3500.
If your ACL says: permit ip any any
Then it will give you hitcount on any source and any destination on any protocols.
07-18-2011 07:21 AM
Can I only apply logging to using the CLI?
I would like to apply the logging using the ASDM, I select logging and didnt see any syslog alerts.
These are the options available in the ASDM logging: default, alerts, emergency, critical, errors, warnings, notifications, informational, debugging...
07-18-2011 07:43 AM
You would need to select the logging level as well, keep it to debugging and then you should be able to see it.
-Varun
07-18-2011 07:45 AM
Thanks Varun.
So I set the access-list rule to 'log' in the cli and set it to debugging?
Or can I just set the rule to 'debugging' in ASDM?
07-18-2011 07:52 AM
No no, in the asdm you needed to select the debugging level, by default in cli, if you dont mention the logging level, it takes informational.
You can just give the command that i gave you in the CLI, that woudl set it to informational, or else use the logging level as 7, whihc is for debugging.
do a '?' after log option, it would make it clear.
-Varun
07-18-2011 08:32 AM
Thanks, I will try it.
07-19-2011 12:41 AM
Varun,.
I set the logging to debugging and received not 1 alert in syslog for the rule.
I still cant see what IP's are hitting the rule?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide