01-17-2022 05:29 AM
On my ASA I have a network interface on a production VLAN, and that network interface has an ACL where the only rules is a "access-list ... permit ip any any" (because of how was implemented in the past).
Now, for some sort of compliance, I have to remove that stupid rule and instead write down a long list of rules to "segregate" the VLAN.
Since I have the ASA logging to ElasticSearch, I can easily query Elastic to find what rules to apply, easy.
Hence the question: when I will write down the long list of rules, at the bottom I will keep the "permit ip any any" to prevent issues with the production, because I may forgot to add some rule.
How do i know which connections the last rule (permit ip any any) in the list has been applied to?
I could check how many hitcnt I see on the last rule, but I wouldn't be able to determine what rules I'm missing.
Solved! Go to Solution.
01-17-2022 05:49 AM
@MarcoLazzarotto log traffic for the "permit ip any any" rule and send these to your syslog server. "When the log option is specified, it generates syslog message 106100 for the ACE to which it is applied. Syslog message 106100 is generated for every matching permit or deny ACE flow that passes through the ASA Firewall."
You can then filter on that rule/syslog message and determine whether you wish to create additional rules to permit that traffic.
01-17-2022 05:49 AM
@MarcoLazzarotto log traffic for the "permit ip any any" rule and send these to your syslog server. "When the log option is specified, it generates syslog message 106100 for the ACE to which it is applied. Syslog message 106100 is generated for every matching permit or deny ACE flow that passes through the ASA Firewall."
You can then filter on that rule/syslog message and determine whether you wish to create additional rules to permit that traffic.
01-17-2022 05:57 AM
Thank you so much @Rob Ingram! This is exactly what I need!
Funny thing is that I already have a couple of ACL with a rule with the "log" option (this is not fully managed by me), but I never found that until now.
04-04-2022 08:34 AM
Hello @Rob Ingram ,
I did like you suggested, and the ASA is logging all the connections.
In the following example, I added the log option on a permit ip 10.1.10.0 255.255.255.0 any rule at the bottom of the ACL "prod-linux_acl".
I can find this on the logs, which is fine:
access-list prod-linux_acl permitted tcp prod-linux/10.1.10.10(57822) -> prod-vpn/10.3.33.33(3389) hit-cnt 1 first hit [0x3bd17c0e, 0x00000000]
| SOURCE | | DESTINATION |
but I can also find this kind of logs, which are logs for return connections:
access-list prod-linux_acl permitted tcp prod-linux/10.1.10.10(8443) -> prod-vpn/10.3.33.33(60409) hit-cnt 1 first hit [0x3bd17c0e, 0x00000000]
| DESTINATION | | SOURCE |
As you can imagine, I only need logs from the first type. How can I differentiate "straight" connections from "return" connections?
Thank you for your help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide