Monitoring Access Rules; Evaluating Syslog Messages For Access Rules - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Monitoring Access Rules
The following example shows how to allow the host at 10.1.1.15 to use only ping to the inside interface:
hostname(config)# icmp permit host 10.1.1.15 inside
The following example shows how to deny all ping requests and permit all packet-too-big messages (to
support path MTU discovery) at the outside interface:
hostname(config)# ipv6 icmp deny any echo-reply outside
hostname(config)# ipv6 icmp permit any packet-too-big outside
The following example shows how to permit host 2000:0:0:4::2 or hosts on prefix 2001::/64 to ping the
outside interface:
hostname(config)# ipv6 icmp permit host 2000:0:0:4::2 echo-reply outside
hostname(config)# ipv6 icmp permit 2001::/64 echo-reply outside
hostname(config)# ipv6 icmp permit any packet-too-big outside
Monitoring Access Rules
To monitor network access, enter the following commands:
•
•
•
Evaluating Syslog Messages for Access Rules
Use a syslog event viewer, such as the one in ASDM, to view messages related to access rules.
If you use default logging, you see syslog message 106023 for explicitly denied flows only. Traffic that
matches the "implicit deny" entry that ends the rule list is not logged.
If the ASA is attacked, the number of syslog messages for denied packets can be very large. We
recommend that you instead enable logging using syslog message 106100, which provides statistics for
each rule (including permit rules) and enables you to limit the number of syslog messages produced.
Alternatively, you can disable all logging for a given rule.
When you enable logging for message 106100, if a packet matches an ACE, the ASA creates a flow entry
to track the number of packets received within a specific interval. The ASA generates a syslog message
at the first hit and at the end of each interval, identifying the total number of hits during the interval and
the time stamp for the last hit. At the end of each interval, the ASA resets the hit count to 0. If no packets
match the ACE during an interval, the ASA deletes the flow entry. When you configure logging for a
rule, you can control the interval and even the severity level of the log message, per rule.
A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source
port might differ for a new connection between the same two hosts, you might not see the same flow
increment because a new flow was created for the connection.
Cisco ASA Series Firewall CLI Configuration Guide
4-10
clear access-list id counters
Clear the hit counts for the access list.
show access-list [name]
Displays the access lists, including the line number for each ACE and hit counts. Include an ACL
name or you will see all access lists.
show running-config access-group
Displays the current ACL bound to the interfaces.
Chapter 4
Access Rules
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
