cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

879
Views
0
Helpful
7
Replies
Highlighted
Beginner

Log all ACL on ASA

Hi,

is there a way to globally log all ACL to syslog instead of having the word "log" at the end of each rule? On the ASA platform.

It's for testing purpose.

 

thanks

7 REPLIES 7
Highlighted
VIP Mentor

What do you want to achieve? Do you want to see all that is allowed through the firewall? Then the connection-log can be used instead of the ACL-log.

Highlighted

Hi,

 

in fact, we want a syslog message every time a packet pass through a rule and know if it's permit or deny.

 

thanks

Highlighted

The ASA is a stateful firewall and you don't act on packets, you act on connections when something is allowed. That can easily be done with connection-logging.

Highlighted

How do you configure connection logging? Any documentation you can refer me to?

 

Thanks.

Highlighted

Hi,

Adding to Karsten's comments, if you want to log everything then set up a syslog server and log everything at debug level.
logging enable
logging trap debugging
logging host INSIDE 10.1.1.1



Highlighted

So I guess "connection logging"  means logging Built outbound/inbound message like those?

 

%ASA-6-302013: Built outbound TCP connection 17316 for OUTSIDE:10.X.X.X/443 (10.X.X.X/443) to INSIDE:10.X.X.X/54129 (10.X.X.X/54129)
%ASA-6-302015: Built outbound UDP connection 17349 for OUTSIDE:10.X.X.X/53 (10.X.X.X/53) to INSIDE:10.X.X.X/55242 (10.X.X.X/55242)
%ASA-6-302020: Built outbound ICMP connection for faddr 10.X.X.X/0 gaddr 10.X.X.X/1 laddr 10.X.X.X/1

Highlighted

These are the syslog IDs in case if you are interested and yes these are connection logging.

%ASA-6-302013 - Built outbound/inbound TCP connection
%ASA-6-302014 - Teardown TCP connection

%ASA-6-302015: Built outbound/inbound UDP connection
%ASA-6-302016: Teardown UDP connection

%ASA-6-302020: Built outbound/inbound ICMP connection
%ASA-6-302021: Teardown ICMP connection


Content for Community-Ad