Cisco ASA Series Cli Configuration Manual page 594

Configuring Logging for Access Lists
Note
Only ACEs in the access list generate logging messages; the implicit deny at the end of the access list
does not generate a message. If you want all denied traffic to generate messages, add the implicit ACE
manually to the end of the access list, as shown in the following example:
hostname(config)# access-list TEST deny ip any any log
The log options at the end of the extended access-list command enable you to set the following behavior:
•
•
•
Syslog message 106100 uses the following form:
%ASA|PIX-n-106100: access-list acl_id {permitted | denied} protocol
interface_name/source_address(source_port) -> interface_name/dest_address(dest_port)
hit-cnt number ({first hit | number-second interval})
When you enable logging for message 106100, if a packet matches an ACE, the ASA creates a flow entry
to track the number of packets received within a specific interval. The ASA generates a syslog message
at the first hit and at the end of each interval, identifying the total number of hits during the interval and
the timestamp for the last hit. At the end of each interval, the ASA resets the hit count to 0. If no packets
match the ACE during an interval, the ASA deletes the flow entry.
A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source
port might differ for a new connection between the same two hosts, you might not see the same flow
increment because a new flow was created for the connection. See the
on page 1-5
Permitted packets that belong to established connections do not need to be checked against access lists;
only the initial packet is logged and included in the hit count. For connectionless protocols, such as
ICMP, all packets are logged, even if they are permitted, and all denied packets are logged.
See the syslog messages guide guide for detailed information about this syslog message.
Licensing Requirements for Access List Logging
The following table shows the licensing requirements for this feature:
Model License Requirement
All models Base License.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
Supported in single and multiple context mode.
Cisco ASA Series CLI Configuration Guide
1-2
Enable message 106100 instead of message 106023
Disable all logging
Return to the default logging using message 106023
to limit the number of logging flows.
Chapter 1 Configuring Logging for Access Lists
"Managing Deny Flows" section