Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
869
Views
0
Helpful
5
Replies

Refining/Analyzing "permit ip"

Eric Snijders
Level 1
Level 1

‎08-30-2018 02:34 AM - edited ‎02-21-2020 08:10 AM

Hi All,

 

What would be the easiest way to refine/analyze traffic in a ACL "permit IP x x". We want to know what kind of traffic actually is within this ACL. The ACL gets about 1000 hits a day.

 

I've already setup NetFlow but i'm seeing more data than i would like, i'm still trying to see how i can optimize Netflow for this.

 

Any other suggestion?

0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎08-30-2018 02:47 AM

Hi,
As you've mentioned Netflow is a good place to start. You could also setup logging on that rule and send to a syslog sevrer. Once you've identified traffic you do wish to permit I'd normally create more specific rules above the less specific rule but without logging turned on. That way as you analyse the traffic hitting that "permit ip x x" rule you eventually start logging less.

HTH
0 Helpful

Eric Snijders
Level 1
Level 1
In response to Rob Ingram

‎08-30-2018 02:55 AM

Hi RJI,

 

Thanks for the logging tip. Do you know any good software that can create a report from all those lines? It's a lot of traffic, so analyzing by hand would take a while.

 

NetFlow would be the more fancy way i guess, but i'm still having a hard time getting only the data i need to NetFlow. I applied the Global Policy (i even applied a small ACL) but i'm also getting NetFlow data where i already have a more specific ACL rule for on the interface. I would like to filter that out.

0 Helpful

Rob Ingram
VIP
VIP
In response to Eric Snijders

‎08-30-2018 03:13 AM

Hi Eric,
Splunk and Graylog both have free versions you could use to analyse the log information, they are limited to 500MB (splunk) or 5GB (Graylog) per day. I would hope that's enough for you to analyse the output and then amend the rules as necessary.

I don't know the answer to your netflow question, but I could perhaps have a look when free at the weekend. Perhaps these links might be of help:-

 

https://www.plixer.com/blog/scrutinizer/configuring-cisco-asa-for-netflow-export-via-cli/

https://community.cisco.com/t5/security-documents/configuring-netflow-on-asa-with-asdm/ta-p/3119466

 

HTH

 

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to Eric Snijders

‎08-30-2018 11:03 AM

You use Kiwi for analyzing the syslogs
0 Helpful

Eric Snijders
Level 1
Level 1
In response to Mohammed al Baqari

‎08-30-2018 11:10 AM

I already have Kiwi setup as our log viewer, but i have no idea how i could get a report or something that can show me how many of those rules are tcp/xxx, or destination xxx. Maybe i'm missing something, but Kiwi seems pretty simple with not a lot of features.

 

Let's say i have 4.000 hits on a "permit ip any any" rule, how could Kiwi help me generate some kind of report/statistics?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card