Solved: Unable to see connection in Cisco ASA Firewall Syslog Events

Haider Malik · ‎04-04-2018

Unable to see connection in Cisco ASA Firewall Syslog Events .

I can see the RDP Session from outside in SSH Session

ciscoasa# sh conn
16 in use, 1588 most used

TCP outside 217.75.x.xxx:3427 inside 192.168.1.185:443, idle 0:00:04, bytes 29 2263, flags UIOB
TCP outside 217.75.x.xxx:12657 inside 192.168.1.100:3389, idle 0:00:00, bytes 3774655, flags UIOB

However i am unable to find the Syslog event for RDP Session under ASDM GUI console .

Is there any way i can get Syslog for each time any RDP connection is been established or requested through the firewall ?

Bogdan Nita · ‎04-04-2018

Syslog messages are being generated for session build and teardown, but I believe you are using ASDM to view the messages. That makes viewing syslog messages difficult, because the asa logs a lot of messages and has a limited amount of space.

You may want to send the message to a external syslog server.

Syslog ids for session build and teardown:

302013 - TCP Build
302014 - TCP Teardown
302015 - UDP Build
302016 - UDP Teardown
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs3.html#con_4770598

HTH

Bogdan

View solution in original post

Bogdan Nita · ‎04-04-2018

Syslog messages are being generated for session build and teardown, but I believe you are using ASDM to view the messages. That makes viewing syslog messages difficult, because the asa logs a lot of messages and has a limited amount of space.

You may want to send the message to a external syslog server.

Syslog ids for session build and teardown:

302013 - TCP Build
302014 - TCP Teardown
302015 - UDP Build
302016 - UDP Teardown
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs3.html#con_4770598

HTH

Bogdan

Haider Malik · ‎04-04-2018

Hello Bogdan

Thanks for the reply we are basically using Solarwinds Syslog Server to collect the Syslogs and we are trying to track that there .

Haider Malik · ‎04-04-2018

So I have tried RDP from this below public IP 217.75.x.xxx and only can see this below Syslog in the events only one single event that is below.

4/4/2018 12:35:21 PM 192.168.1.1 Debug :UTC: Built local-host outside:217.75.x.xxx

What i want is to see the

- RDP Port Number (RDP Port)

- Inside Host IP address

Haider Malik · ‎04-04-2018

OK Thanks i have configured
This below Event and able to see the details.

302013
Error Message%ASA-6-302013: Built {inbound|outbound} TCP connection_id for interface :real-address /real-port (mapped-address/mapped-port ) [(idfw_user )] to interface :real-address /real-port (mapped-address/mapped-port ) [(idfw_user )] [(user )]

Explanation A TCP connection slot between two hosts was created.

connection_id —A unique identifier
interface, real-address, real-port—The actual sockets
mapped-address, mapped-port—The mapped sockets
user—The AAA name of the user
idfw_user— The name of the identity firewall user
If inbound is specified, the original control connection was initiated from the outside. For example, for FTP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, the original control connection was initiated from the inside.

Recommended Action None required.

----- Thank you -------