-
Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3
-
About This Guide
-
Glossary
- Getting Started and General Information
- Setting Up the Adaptive Security Appliance
- Configuring Access Lists
- Configuring IP Routing
- Configuring NAT
- Configuring Service Policies Using the Modular Policy Framework
- Configuring Access Control
- Configuring Application Inspection
- Configuring Unified Communications
- Configuring Connection Settings and QoS
- Configuring Advanced Network Protection
- Configuring Applications on SSMs and SSCs
- Configuring High Availability
-
Configuring VPN
-
Configuring IPSec and ISAKMP
-
Configuring L2TP over IPSec
-
Setting General VPN Parameters
-
Configuring Tunnel Groups, Group Policies, and Users
-
Configuring IP Addresses for VPN
-
Configuring Remote Access VPNs
-
Configuring Network Admission Control
-
Configuring Easy VPN on the ASA 5505
-
Configuring the PPPoE Client
-
Configuring LAN-to-LAN VPNs
-
Configuring Clientless SSL VPN
-
Configuring AnyConnect VPN Client Connections
-
- Configuring Logging and SNMP
- System Administration
- Reference
-
Feedback
Table Of Contents
Configuring Logging for Access Lists
Configuring Logging for Access Lists
Information About Logging Access List Activity
Licensing Requirements for Access List Logging
Configuring Access List Logging
Configuration Examples for Access List Logging
Feature History for Access List Logging
Information About Managing Deny Flows
Licensing Requirements for Managing Deny Flows
Feature History for Managing Deny Flows
Configuring Logging for Access Lists
This chapter describes how to configure access list logging for extended access lists and Webytpe access lists, and it describes how to manage deny flows.
This chapter includes the following sections:
•
Configuring Logging for Access Lists
Configuring Logging for Access Lists
This section includes the following topics:
•
•
•
•
•
Information About Logging Access List Activity
By default, when traffic is denied by an extended ACE or a Webtype ACE, the adaptive security appliance generates system message 106023 for each denied packet in the following form:
%ASA|PIX-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_idIf the adaptive security appliance is attacked, the number of system messages for denied packets can be very large. We recommend that you instead enable logging using system message 106100, which provides statistics for each ACE and enables you to limit the number of system messages produced. Alternatively, you can disable all logging.
Note
hostname(config)# access-list TEST deny ip any any logThe log options at the end of the extended access-list command enable you to set the following behavior:
•
•
•
System message 106100 uses the following form:
%ASA|PIX-n-106100: access-list acl_id {permitted | denied} protocol interface_name/source_address(source_port) -> interface_name/dest_address(dest_port) hit-cnt number ({first hit | number-second interval})When you enable logging for message 106100, if a packet matches an ACE, the adaptive security appliance creates a flow entry to track the number of packets received within a specific interval. The adaptive security appliance generates a system message at the first hit and at the end of each interval, identifying the total number of hits during the interval and the timestamp for the last hit. At the end of each interval, the adaptive security appliance resets the hit count to 0. If no packets match the ACE during an interval, the adaptive security appliance deletes the flow entry.
A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source port might differ for a new connection between the same two hosts, you might not see the same flow increment because a new flow was created for the connection. See the "Managing Deny Flows" section to limit the number of logging flows.
Permitted packets that belong to established connections do not need to be checked against access lists; only the initial packet is logged and included in the hit count. For connectionless protocols, such as ICMP, all packets are logged, even if they are permitted, and all denied packets are logged.
See the Cisco ASA 5500 Series System Log Messages for detailed information about this system message.
Licensing Requirements for Access List Logging
The following table shows the licensing requirements for this feature:
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
Supported only in routed and transparent firewall modes.
IPv6 Guidelines
Supports IPv6.
Additional Guidelines and Limitations
ACE logging generates system log message 106023 for denied packets. A deny ACE must be present to log denied packets.
Default Settings
Table 18-1 lists the default settings for extended access list parameters.
Configuring Access List Logging
This sections describes how to configure access list logging.
Note
To configure logging for an ACE, enter the following command:
Monitoring Access Lists
To monitor access lists, enter one of the following commands:
Displays the access list entries by number.
Displays the current running access-list configuration.
Configuration Examples for Access List Logging
This section includes sample configurations for logging access lists.
You might configure the following access list:
hostname(config)# access-list outside-acl permit ip host 1.1.1.1 any log 7 interval 600hostname(config)# access-list outside-acl permit ip host 2.2.2.2 anyhostname(config)# access-list outside-acl deny ip any any log 2hostname(config)# access-group outside-acl in interface outsideWhen the first ACE of outside-acl permits a packet, the adaptive security appliance generates the following system message:
%ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345) -> inside/192.168.1.1(1357) hit-cnt 1 (first hit)Although 20 additional packets for this connection arrive on the outside interface, the traffic does not have to be checked against the access list, and the hit count does not increase.
If one or more connections by the same host are initiated within the specified 10 minute interval (and the source and destination ports remain the same), then the hit count is incremented by 1, and the following message displays at the end of the 10 minute interval:
%ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345)-> inside/192.168.1.1(1357) hit-cnt 2 (600-second interval)When the third ACE denies a packet, the adaptive security appliance generates the following system message:
%ASA|PIX-2-106100: access-list outside-acl denied ip outside/3.3.3.3(12345) -> inside/192.168.1.1(1357) hit-cnt 1 (first hit)If 20 additional attempts occur within a 5 minute interval (the default), the following message appears at the end of 5 minutes:
%ASA|PIX-2-106100: access-list outside-acl denied ip outside/3.3.3.3(12345) -> inside/192.168.1.1(1357) hit-cnt 21 (300-second interval)Feature History for Access List Logging
Table 18-2 lists the release history for this feature.
Managing Deny Flows
This section includes the following topics:
•
•
•
Information About Managing Deny Flows
When you enable logging for message 106100, if a packet matches an ACE, the adaptive security appliance creates a flow entry to track the number of packets received within a specific interval. The adaptive security appliance has a maximum of 32 K logging flows for ACEs. A large number of flows can exist concurrently at any point of time. To prevent unlimited consumption of memory and CPU resources, the adaptive security appliance places a limit on the number of concurrent deny flows; the limit is placed on deny flows only (not on permit flows) because they can indicate an attack. When the limit is reached, the adaptive security appliance does not create a new deny flow for logging until the existing flows expire.
For example, if someone initiates a DoS attack, the adaptive security appliance can create a large number of deny flows in a short period of time. Restricting the number of deny flows prevents unlimited consumption of memory and CPU resources.
When you reach the maximum number of deny flows, the adaptive security appliance issues system message 106100:
%ASA|PIX-1-106101: The number of ACL log deny-flows has reached limit (number).The access-list alert-interval command sets the time interval for generating the system log message 106001. The system log message 106001 alerts you that the adaptive security appliance has reached a deny flow maximum. When the deny flow maximum is reached, another system log message 106001 is generated if at least six seconds have passed since the last 106001 message was generated.
Licensing Requirements for Managing Deny Flows
The following table shows the licensing requirements for this feature:
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
Supported only in routed and transparent firewall modes.
IPv6 Guidelines
Supports IPv6.
Additional Guidelines and Limitations
The adaptive security appliance places a limit on the number of concurrent deny flows only—not permit flows.
Default Settings
Table 18-1 lists the default settings for managing deny flows.
Managing Deny Flows
To configure the maximum number of deny flows and to set the interval between deny flow alert messages (106100), enter the following command:
To set the amount of time between system messages (number 106101), which identifies that the maximum number of deny flows was reached, enter the following command:
Monitoring Deny Flows
To monitor access lists, enter one of the following commands:
Displays access list entries by number.
Displays the current running access-list configuration.
Feature History for Managing Deny Flows
Table 18-2 lists the release history for this feature.
