EasyManuals Logo

Cisco ASA Series User Manual

Cisco ASA Series
2164 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #597 background imageLoading...
Page #597 background image
1-5
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Logging for Access Lists
Managing Deny Flows
When the first ACE of outside-acl permits a packet, the ASA generates the following syslog message:
%ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345) ->
inside/192.168.1.1(1357) hit-cnt 1 (first hit)
Although 20 additional packets for this connection arrive on the outside interface, the traffic does not
have to be checked against the access list, and the hit count does not increase.
If one or more connections by the same host are initiated within the specified 10-minute interval (and
the source and destination ports remain the same), then the hit count is incremented by 1, and the
following syslog message displays at the end of the 10-minute interval:
%ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345)->
inside/192.168.1.1(1357) hit-cnt 2 (600-second interval)
When the third ACE denies a packet, the ASA generates the following syslog message:
%ASA|PIX-2-106100: access-list outside-acl denied ip outside/3.3.3.3(12345) ->
inside/192.168.1.1(1357) hit-cnt 1 (first hit)
If 20 additional attempts occur within a 5-minute interval (the default), the following syslog message
appears at the end of 5 minutes:
%ASA|PIX-2-106100: access-list outside-acl denied ip outside/3.3.3.3(12345) ->
inside/192.168.1.1(1357) hit-cnt 21 (300-second interval)
Feature History for Access List Logging
Table 1-2 lists the release history for this feature.
Managing Deny Flows
This section includes the following topics:
• Information About Managing Deny Flows, page 1-6
• Licensing Requirements for Managing Deny Flows, page 1-6
• Guidelines and Limitations, page 1-6
• Managing Deny Flows, page 1-7
• Monitoring Deny Flows, page 1-7
• Feature History for Managing Deny Flows, page 1-8
Table 1-2 Feature History for Access List Logging
Feature Name Releases Feature Information
Access list logging 7.0(1) You can enable logging using syslog message 106100,
which provides statistics for each ACE and lets you limit the
number of syslog messages produced.
We introduced the following command: access-list.
ACL Timestamp 8.3(1) The ASA reports the timestamp for the last access rule hit.

Table of Contents

Other manuals for Cisco ASA Series

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco ASA Series and is the answer not in the manual?

Cisco ASA Series Specifications

General IconGeneral
ModelASA 5505
InterfacesVaries by model (Fast Ethernet, Gigabit Ethernet, 10 Gigabit Ethernet, etc.)
High AvailabilityActive/Standby or Active/Active (varies by model)
Power SupplyVaries by model
Form FactorVaries by model
Operating SystemCisco ASA Software
IPsec VPNSupported
SSL VPNSupported
IPS ThroughputVaries by model

Related product manuals