Pages

Sunday 6 May 2012

Cisco ASA Firewall access-list syslog messages.

Cisco ASA Firewall access-list syslog messages.


In addition to firewall logging, logging can also be enabled on the access-list.

For example

access-list line 1 inside permit ip 10.20.30.0 255.255.255.0 any
access-list line 2 inside deny ip any any

Firewall syslog message 106023 will be generated for packets denied by an access control entry (ACE) that does not have the logkeyword present.
Jul 27 2010 00:10:18: %ASA-4-106023: Deny tcp src outside:10.21.30.3/2120 dst inside:100.2.4.1/80 by access-group “inside”

————————————————————————

If you enter the log option without any arguments, you enable system log message 106100 at the default level (6)

example:

access-list line 1 inside permit ip 10.20.30.0 255.255.255.0 any
access-list line 2 inside deny ip any any log

Jul 27 2010 00:10:18: %ASA-6-106100: access-list OUTSIDE denied tcp outside/10.21.30.3(2121) -> inside/100.2.4.1(105) hit-cnt 1 first hit [0x22e8ac21, 0x0]

No comments:

Post a Comment