Feature history for access list logging, Managing deny flows – Cisco ASA 5505 User Manual

Page 429

Advertising

20-5

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 20 Configuring Logging for Access Lists

Managing Deny Flows

When the first ACE of outside-acl permits a packet, the ASA generates the following syslog message:

%ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/10.0.0.0(12345) ->

inside/192.168.1.1(1357) hit-cnt 1 (first hit)

Although 20 additional packets for this connection arrive on the outside interface, the traffic does not
have to be checked against the access list, and the hit count does not increase.

If one or more connections by the same host are initiated within the specified 10-minute interval (and
the source and destination ports remain the same), then the hit count is incremented by 1, and the
following syslog message displays at the end of the 10-minute interval:

%ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/10.0.0.0(12345)->

inside/192.168.1.1(1357) hit-cnt 2 (600-second interval)

When the third ACE denies a packet, the ASA generates the following syslog message:

%ASA|PIX-2-106100: access-list outside-acl denied ip outside/10.255.255.255(12345) ->

inside/192.168.1.1(1357) hit-cnt 1 (first hit)

If 20 additional attempts occur within a 5-minute interval (the default), the following syslog message
appears at the end of 5 minutes:

%ASA|PIX-2-106100: access-list outside-acl denied ip outside/10.255.255.255(12345) ->

inside/192.168.1.1(1357) hit-cnt 21 (300-second interval)

Feature History for Access List Logging

Table 20-2

lists each feature change and the platform release in which it was implemented.

Managing Deny Flows