1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ASA logging

Discussion in 'Network Security' started by morph, Dec 17, 2008.

  1. morph

    morph Byte Poster

    204
    3
    22
    So lets say u had a cisco ASa as your internal firewall, with an any any rule for ip (so everything) - this was being closed down but alot of traffic is useing this rule. Is it possible to just log on this one rule rule through syslog? or is syslog going to capture all the traffic for everything and then it would be a matter of going through it ? basically i want to do this over 48 hours, at the moment i'm just letting live logging rack up on a differant machine and was going to go through that (specific for that rule)
    any ideas?
     
    Certifications: Network +, ITIL Foundation, CCENT, CCNA
    WIP: server/ccna security
  2. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Yes, you can log matches against a line in an access list - just add log at the end of the line. There are plenty of options if you want to fine tune the logging parameters, but simply adding "log" and sending it all to a syslog server is very easy. If the line is permit ip any any log, then of course you will be logging every packet, which is probably not a good idea, unless traffic is light.

    I'm not sure from you question, but it seems that you have an access list that permits everything, and you are trying to lock it down, and want an idea of what legitimate traffic you'll need to permit. If so, I'd suggest making an access list that covers everything you can think of that is legitimate (e.g. smtp, http, ntp, etc). Then add permit statements with logging to catch the rest of the traffic. I often break it down a bit more specificly, e.g. instead of permit ip any any log I use permit tcp any any log, permit udp any any log, etc.

    Also, keep in mind you can log policy entries as well, if needed - for example, maybe you have an http policy that blocks apps tunneling through http - you can log that if needed.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  3. morph

    morph Byte Poster

    204
    3
    22
    thanks dude ! :D
     
    Certifications: Network +, ITIL Foundation, CCENT, CCNA
    WIP: server/ccna security
  4. ManishBehal

    ManishBehal New Member

    6
    0
    18
    Hi,

    If you install the ASDM software you can easily see what traffic is passing through your firewall, including all the catch-all. Alternately, say you wanted to see what was hitting your outside interface, you could configure a capture list tied to an ACL to grab that traffic, bind that to the OUTISDE interface and then parse it to the .pcap format and then view it in WireShark – all this is free!! Can’t be bad.


    HTH
     
    Certifications: CCIE,CCNP,CCDA,CCNP,MCSE,MCSA,MCDST,MCT
    WIP: CCIE Security,

Share This Page

Loading...