To check logs on asa firewall

prashantrecon · ‎11-20-2011

Hi Experts,

Need a solution regarding broadcast.

There were lot of packet loss when i tired to ping inside interface of firewall.And my entire network was down.

When i checked in asdm there was DOS attack from particular ip on of internal server .

Today also i faced a similar problem, And i was not able to even log on to asdm.

Is there any ways to check log on firewall other than syslog server

ajay chauhan · ‎11-21-2011

Hi Prashant,

Go thru links-

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_botnet.html

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_connlimits.html

There is no specific command to check but you will have to see from diffrent ways.

Thanks

Ajay

prashantrecon · ‎11-21-2011

Hi ajay

Thanks for the links.

Problem is it takes to much time to check logs on syslog server .To find from which ip the attack has taken place.

Due to packet loss we are not able to login on firewall asdm also.

Is there any way to check from which ip we are geeting attacks.

ajay chauhan · ‎11-21-2011

Basically show connections should tell you whats going on in firewall based on that you can investigate . If you suspect DOS attack you can also check the utalization report of switchs and swicthport. If you have had syslog server it was easy job there is no magical command which tells you the host. You should investigate step by step.

prashantrecon · ‎11-21-2011

Thank you.

hobbe · ‎11-21-2011

Hi

Just my 2 cents on the subject.

First of all are you onsite or are you somewhere else ?

It sounds like you are onsite and that the inside server is sending more packets through the link than what the firewall or the link somewhere to the firewall can handle. Ie Link saturation.

If that is the case then set a monitor port on the switch where the firewall connects and setting up a sniffer software such as wireshark will tell you the offending address immediately. It is the one sending most of the packets.

The second thing you can do is to go to the firewall and connect a cable and run CLI commands instead of using the ASDM.

Third

Do you have any unused ports in the firewall setting up a log server on one of those would be a prudent thing.

Forth

It could be a faulty cable, that would give the same problem symptoms, but if the ASDM tells you that there is an attack, then most likely it is not a faulty cable.

Good luck

HTH

prashantrecon · ‎11-21-2011

Hi Hobbe,

Problem is even after changing the Private as well as public ip of the server .we have recieved the attack on the same server with in a month.we have more than 100 servers set up in vmware .

Can u guide me in setting the wireshark.

ajay chauhan · ‎11-22-2011

You frist need to setup SPAN port -

Switch(config)# monitor session 1 source interface fastEthernet0/1
Switch(config)# monitor session 1 destination interface fastEthernet0/2

Source would be interface where firewall inside is connected and destination port would be where a machine is connected on which wireshark is installed.

Wireshark is freeware you can download it from internet.

once SPAN is configured mirror of all the traffic in/out will be on destination port . In wireshark you can select the interface your NIC and click on start capture .

Thanks

Ajay