Re: Log all ACL on ASA

Telecom Team · ‎12-20-2018

Hi,

is there a way to globally log all ACL to syslog instead of having the word "log" at the end of each rule? On the ASA platform.

It's for testing purpose.

thanks

Karsten Iwen · ‎12-20-2018

What do you want to achieve? Do you want to see all that is allowed through the firewall? Then the connection-log can be used instead of the ACL-log.

Telecom Team · ‎12-20-2018

Hi,

in fact, we want a syslog message every time a packet pass through a rule and know if it's permit or deny.

thanks

Karsten Iwen · ‎12-20-2018

The ASA is a stateful firewall and you don't act on packets, you act on connections when something is allowed. That can easily be done with connection-logging.

Telecom Team · ‎01-18-2019

How do you configure connection logging? Any documentation you can refer me to?

Thanks.

vsurresh · ‎01-18-2019

Hi,

Adding to Karsten's comments, if you want to log everything then set up a syslog server and log everything at debug level.
logging enable
logging trap debugging
logging host INSIDE 10.1.1.1

Telecom Team · ‎01-18-2019

So I guess "connection logging" means logging Built outbound/inbound message like those?

%ASA-6-302013: Built outbound TCP connection 17316 for OUTSIDE:10.X.X.X/443 (10.X.X.X/443) to INSIDE:10.X.X.X/54129 (10.X.X.X/54129)
%ASA-6-302015: Built outbound UDP connection 17349 for OUTSIDE:10.X.X.X/53 (10.X.X.X/53) to INSIDE:10.X.X.X/55242 (10.X.X.X/55242)
%ASA-6-302020: Built outbound ICMP connection for faddr 10.X.X.X/0 gaddr 10.X.X.X/1 laddr 10.X.X.X/1

vsurresh · ‎01-18-2019

These are the syslog IDs in case if you are interested and yes these are connection logging.

%ASA-6-302013 - Built outbound/inbound TCP connection
%ASA-6-302014 - Teardown TCP connection

%ASA-6-302015: Built outbound/inbound UDP connection
%ASA-6-302016: Teardown UDP connection

%ASA-6-302020: Built outbound/inbound ICMP connection
%ASA-6-302021: Teardown ICMP connection