Monitoring access lists, Configuration examples for access list logging – Cisco ASA 5505 User Manual

Page 428

Advertising
background image

20-4

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 20 Configuring Logging for Access Lists

Configuring Logging for Access Lists

To configure logging for an ACE, enter the following command:

Monitoring Access Lists

To monitor access lists, enter one of the following commands:

Configuration Examples for Access List Logging

This section includes sample configurations for logging access lists.

You might configure the following access list:

hostname(config)# access-list outside-acl permit ip host 10.10.0.0 any log 7 interval 600

hostname(config)# access-list outside-acl permit ip host 10.255.255.255 any

hostname(config)# access-list outside-acl deny ip any any log 2

hostname(config)# access-group outside-acl in interface outside

Command

Purpose

access-list

access_list_name [extended]

{deny | permit}...[log [[level] [interval

secs] | disable | default]]

Example:

hostname(config)# access-list outside-acl

permit ip host 10.0.0.0 any log 7 interval

600

Configures logging for an ACE.

The access-list access_list_name syntax specifies the access list for which
you want to configure logging.

The extended option adds an ACE.

The deny keyword denies a packet if the conditions are matched. Some
features do not allow deny ACEs, such as NAT. (See the command
documentation for each feature that uses an access list for more
information.)

The permit keyword permits a packet if the conditions are matched.

If you enter the log option without any arguments, you enable syslog
message 106100 at the default level (6) and for the default interval (300
seconds). See the following options:

level—A severity level between 0 and 7. The default is 6.

interval secs—The time interval in seconds between syslog messages,
from 1 to 600. The default is 300. This value is also used as the timeout
value for deleting an inactive flow.

disable—Disables all access list logging.

default—Enables logging to message 106023. This setting is the same
as having no log option.

(See the access-list command in the Cisco Security Appliance Command
Reference for more information about command options.)

Command

Purpose

show access list

Displays the access list entries by number.

show running-config access-list

Displays the current running access list
configuration.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals