Tracking access-list permits and denies in syslog

alan.ambers · ‎12-19-2011

Hello -

I have worked with PIX/ASA in the past, but where i work now, they migrated from a Checkpoint firewall. One thing that the Checkpoint did very well was log both permits and denies. I am trying to replicate this with the ASA and a syslog server (kiwi syslog) and am having problems.

I have a DNS rule that only allows our DNS servers to get to external DNS. When I do a NSLOOKUP and set the server to an external server (4.2.2.2), the lookup fails and I get the following:

2011-12-19 14:23:54 Local4.Info 10.1.0.213 Dec 19 2011 14:23:54 medela : %ASA-6-106100: access-list INSIDE-IN denied udp INSIDE/PC-alan(1482) -> OUTSIDE/4.2.2.2(53) hit-cnt 1 first hit [0xe09e77c3, 0x0]

Before I go on, it would be nice to know that this is failing at INSIDE rule #7 (as that is the number that shows up on the ADSM).

....moving along....

If I add IP address to the list of DNS servers, It works (as expected), but it doesn't show that in the syslog. According to the ADSM, I have the logging set to informational. The actual code in the ASA is:

access-list INSIDE-IN extended permit udp object-group MCHENRY-DNS-SERVERS any eq domain log

I am adding and removing myself from the MCHENRY-DNS-SERVERS object group.

What seems weird to me is I have this entry:

2011-12-19 14:32:49 Local4.Info 10.1.0.213 Dec 19 2011 14:32:49 medela : %ASA-6-106100: access-list INSIDE-IN permitted udp INSIDE/10.1.1.44(1038) -> OUTSIDE/67.202.194.149(53) hit-cnt 1 first hit [0xcf9aa9e5, 0x96f1d973]

10.1.1.44 is one of our internal DNS servers so this entry make sense.

I have multiple valid log entries like right above, but I can't seem to see the ones I generate.

The logging commands are:

logging enable

logging timestamp

logging buffer-size 500000

logging console debugging

logging monitor debugging

logging buffered debugging

logging trap informational

logging asdm informational

logging from-address XXXXX

logging recipient-address XXXXXXX level errors

logging recipient-address XXXXXX level errors

logging device-id string medela

logging host INSIDE 10.1.1.92 17/1514

What am I missing here?

We are running 8.2(3) ASA code and 6.3(4) 53 ADSM code

Thanks!

/alan

puseth · ‎12-20-2011

Hi Alan,

Looking at this syslog message

%ASA-6-106100: access-list INSIDE-IN denied udp INSIDE/PC-alan(1482) -> OUTSIDE/4.2.2.2(53) hit-cnt 1 first hit [0xe09e77c3, 0x0]

Seems like there is an explicit ACE on the access-list INSIDE-IN which denied this outbound DNS traffic from host PC-alan.

Can you check this

show access-l | in 0xe09e77c3

Now as per you,

If you add this host PC-alan to the list of trusted DNS servers in the object-group "MCHENRY-DNS-SERVERS" the DNS traffic works fine but you dont see a sylog telling you that the traffic was permitted.

But at the same time you see a log for a different server being permitted by the access-l.

%ASA-6-106100: access-list INSIDE-IN permitted udp INSIDE/10.1.1.44(1038) -> OUTSIDE/67.202.194.149(53) hit-cnt 1 first hit [0xcf9aa9e5, 0x96f1d973]

Looking at this

The first hex value correspond to object group,second correspond to actual access rule.

So can you please show me the output of this

show access-l | in 0xcf9aa9e5
show access-l | in 0x96f1d973

Can you send me the output of

show access-l INSIDE-IN | in domain when you've that host added in that object-group and after you try nslookup from that host.

I'd like to see if that ACE has got any hit-cnts against it or not.

Puneet

alan.ambers · ‎12-20-2011

Puneet -

I want to clarify that I expected the first "denied" since PC-aolan was not in the object MCHENRY-DNS-SERVERS. That said, here is the first show access-l

show access-l | in 0xe09e77c3

access-list INSIDE-IN line 26 extended deny ip any any log informational interval 300 (hitcnt=1407496) 0xe09e77c3

Line 26 is our deny all so that is good.

Before I did the second, I cleared the DNS cache to make sure it would do hits. The log entry is now:

2011-12-20 08:47:46 Local4.Info 10.1.0.213 Dec 20 2011 08:47:46 medela : %ASA-6-106100: access-list INSIDE-IN permitted udp INSIDE/10.1.1.44(1038) -> OUTSIDE/204.245.152.68(53) hit-cnt 12 300-second interval [0xcf9aa9e5, 0x96f1d973]

The two coresponding show access-lists are:

show access-l | i 0xcf9aa9e5

access-list INSIDE-IN line 8 extended permit udp object-group MCHENRY-DNS-SERVERS any eq domain log informational interval 300 0xcf9aa9e5

and

show access-l | i 0x96f1d973

access-list INSIDE-IN line 8 extended permit udp host 10.1.1.44 any eq domain log informational interval 300 (hitcnt=2153394) 0x96f1d973

Before I go on, I have a seperate question (sorry for the digression). Both of these refer to "line 8". Shouldn't they show "line 7" per the attached ADSM screenshot?

Here is the final show command:

show access-l INSIDE-IN | in domain

access-list INSIDE-IN line 8 extended permit udp object-group MCHENRY-DNS-SERVERS any eq domain log informational interval 300 0xcf9aa9e5

access-list INSIDE-IN line 8 extended permit udp host 10.1.1.44 any eq domain log informational interval 300 (hitcnt=2155033) 0x96f1d973

access-list INSIDE-IN line 8 extended permit udp host 10.1.1.51 any eq domain log informational interval 300 (hitcnt=1063240) 0x5452a227

access-list INSIDE-IN line 8 extended permit udp host 10.1.1.32 any eq domain log informational interval 300 (hitcnt=447) 0x17ac19ab

access-list INSIDE-IN line 8 extended permit udp host 10.1.1.42 any eq domain log informational interval 300 (hitcnt=168) 0x598ed364

access-list INSIDE-IN line 8 extended permit udp host PC-gail any eq domain log informational interval 300 (hitcnt=0) 0xfc2104c5

access-list INSIDE-IN line 8 extended permit udp host PC-seth any eq domain log informational interval 300 (hitcnt=0) 0x5e736aae

access-list INSIDE-IN line 8 extended permit udp host PC-alan any eq domain log informational interval 300 (hitcnt=17) 0xeceb330a

I see on the last line the hits on my lookup. Now I look in the log file and I see:

2011-12-20 09:22:34 Local4.Info 10.1.0.213 Dec 20 2011 09:22:34 medela : %ASA-6-106100: access-list INSIDE-IN permitted udp INSIDE/PC-alan(1503) -> OUTSIDE/4.2.2.2(53) hit-cnt 1 first hit [0xcf9aa9e5, 0xeceb330a]

So now I see the entry in the log file. I don't know why I didn't see it earlier.

Since I want to know that I hit line 7 on INSIDE-IN, why is that showing line 8. And is there a way to get those lines numbers over to my syslog since that is how I would like to troubleshoot things (as crazy as that sounds).

Thanks!

/alan

puseth · ‎12-20-2011

Unfortunately you cannot get those line nos to the syslog.

However can you send me a screenshot of ASDM from line 1 to line 9.

And send me the output of show access-l INSIDE-IN?

Puneet

alan.ambers · ‎12-20-2011

Puneet - Thank you for your quick reply

I found what is causing this. It appears to be a remark or description is taking a line#:

access-list INSIDE-IN line 2 extended permit ip host 10.1.x.x host addx (hitcnt=6) 0xe0fe5d0a
access-list INSIDE-IN line 3 extended permit tcp host 10.1.x.x any range 6366 6416 (hitcnt=0) 0x3235c4cb
access-list INSIDE-IN line 4 remark Laughlin Constable developing between our erpdev server and our web server
access-list INSIDE-IN line 5 extended permit ip host srmsus23erpdev1 object-group eCommerce-Development-Web 0xf2f65af6
access-list INSIDE-IN line 5 extended permit ip host srmsus23erpdev1 host Echo-Mountain (hitcnt=0) 0x2b726d07
access-list INSIDE-IN line 5 extended permit ip host srmsus23erpdev1 host Laughlin-Constable (hitcnt=0) 0x4c7009c7
access-list INSIDE-IN line 6 extended permit tcp object-group TIME-CLOCKS-IPS host tcaddx object-group TIME-CLOCK-TCP 0xc76e898f

So if I take the time to add a description in the ADSM, it shows messes up the line # in the hit count.

Any idea on how to get around that short of not using the description?

Thanks!

/alan