ASA ACL Logging

As any network administrator will tell you, the ASA Security appliance (as well as its forerunner, the PIX) are capable of generating massive amounts of log messages, especially when the firewall/security appliance is set to log messages at debug level to the syslog server.  This post will focus on one such source of a high volume of log messages, access lists, or access control lists (ACLs).

The Cisco ASA security appliance and PIX firewall differ from the Cisco IOS router in two key areas when it comes to logging of ACL entries.  First, the router requires the use of a log keyword at the end of the access-list line; second, the router will send messages no more frequently than once every five minutes per such a designated line.  In marked contrast, the ASA and PIX will send log message 106023 for EVERY match of every explicit line at informational severity level.

A demonstration of this behavior can be seen below where a simple one-line access-list entry was created in ASDM merely to permit http access, and an attempt to telnet to this same IP address was made.  For illustrative purposes only, the console logging level was set to debug; this message was generated from the implicit “deny ip any any”:

%ASA-4-106023: Deny tcp src outside:192.168.1.2/1100 dst dmz:172.16.1.15/23 by access-group "outside_access_in" [0x0, 0x0]

Note that the Logging Level here is set to “Default” and if the “More Options” double down arrow is clicked; the “Logging Interval” field is grayed out.  A simple change of the Logging Level to Informational results in the screen below:

As the above illustrates, the default value of 300 seconds (5 minutes) is active between successive logging of “hits” to the access-list entry the moment any other keyword selec-tion is chosen from the drop-down menu other than Default.  This, of course, has no impact on the behavior of the logging of the implicit “deny ip any any” rule as shown below when a simple telnet is again attempted:

%ASA-4-106023: Deny tcp src outside:192.168.1.2/1138
dst dmz:172.16.1.15/23 by access-group "outside_access_in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src outside:192.168.1.2/1138
dst dmz:172.16.1.15/23 by access-group "outside_access_in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src outside:192.168.1.2/1138
dst dmz:172.16.1.15/23 by access-group "outside_access_in" [0x0, 0x0]

As the  ASDM screenshot below indicates, the implicit rule cannot be edited; consequently a duplicate explicit rule must be created and adjusted for logging:

The result of the added line is shown below; only one entry results from the three successive telnet attempts.  The syslog message ID is now 106100 instead of 106023; consequently the logging of this message could be disabled through the no logging message 106023 privileged mode CLI command.  In this manner only the explicitly marked ACEs (Access Control Entries) of interest would be logged.

%ASA-6-106100: access-list outside_access_in denied tcp outside
/192.168.1.2(1145) -> dmz/172.16.1.15(23) hit-cnt 1 first hit [0x2c1c6a65, 0x0]

Author: Doug McKillip

References:
PIX/ASA 7.x and later with Syslog Configuration Example