1-5
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Logging for Access Lists
Managing Deny Flows
When the first ACE of outside-acl permits a packet, the ASA generates the following syslog message:
%ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345) ->
inside/192.168.1.1(1357) hit-cnt 1 (first hit)
Although 20 additional packets for this connection arrive on the outside interface, the traffic does not
have to be checked against the access list, and the hit count does not increase.
If one or more connections by the same host are initiated within the specified 10-minute interval (and
the source and destination ports remain the same), then the hit count is incremented by 1, and the
following syslog message displays at the end of the 10-minute interval:
%ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345)->
inside/192.168.1.1(1357) hit-cnt 2 (600-second interval)
When the third ACE denies a packet, the ASA generates the following syslog message:
%ASA|PIX-2-106100: access-list outside-acl denied ip outside/3.3.3.3(12345) ->
inside/192.168.1.1(1357) hit-cnt 1 (first hit)
If 20 additional attempts occur within a 5-minute interval (the default), the following syslog message
appears at the end of 5 minutes:
%ASA|PIX-2-106100: access-list outside-acl denied ip outside/3.3.3.3(12345) ->
inside/192.168.1.1(1357) hit-cnt 21 (300-second interval)
Feature History for Access List Logging
Table 1-2 lists the release history for this feature.
Managing Deny Flows
This section includes the following topics:
• Information About Managing Deny Flows, page 1-6
• Licensing Requirements for Managing Deny Flows, page 1-6
• Guidelines and Limitations, page 1-6
• Managing Deny Flows, page 1-7
• Monitoring Deny Flows, page 1-7
• Feature History for Managing Deny Flows, page 1-8
Table 1-2 Feature History for Access List Logging
Feature Name Releases Feature Information
Access list logging 7.0(1) You can enable logging using syslog message 106100,
which provides statistics for each ACE and lets you limit the
number of syslog messages produced.
We introduced the following command: access-list.
ACL Timestamp 8.3(1) The ASA reports the timestamp for the last access rule hit.
To Next Page
Loading...
Need help?
General
