4-10
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 4 Access Rules
Monitoring Access Rules
The following example shows how to allow the host at 10.1.1.15 to use only ping to the inside interface:
hostname(config)#
icmp permit host 10.1.1.15 inside
The following example shows how to deny all ping requests and permit all packet-too-big messages (to
support path MTU discovery) at the outside interface:
hostname(config)#
ipv6 icmp deny any echo-reply outside
hostname(config)#
ipv6 icmp permit any packet-too-big outside
The following example shows how to permit host 2000:0:0:4::2 or hosts on prefix 2001::/64 to ping the
outside interface:
hostname(config)#
ipv6 icmp permit host 2000:0:0:4::2 echo-reply outside
hostname(config)#
ipv6 icmp permit 2001::/64 echo-reply outside
hostname(config)#
ipv6 icmp permit any packet-too-big outside
Monitoring Access Rules
To monitor network access, enter the following commands:
•
clear access-list
id
counters
Clear the hit counts for the access list.
•
show access-list
[
name
]
Displays the access lists, including the line number for each ACE and hit counts. Include an ACL
name or you will see all access lists.
•
show running-config access-group
Displays the current ACL bound to the interfaces.
Evaluating Syslog Messages for Access Rules
Use a syslog event viewer, such as the one in ASDM, to view messages related to access rules.
If you use default logging, you see syslog message 106023 for explicitly denied flows only. Traffic that
matches the “implicit deny” entry that ends the rule list is not logged.
If the ASA is attacked, the number of syslog messages for denied packets can be very large. We
recommend that you instead enable logging using syslog message 106100, which provides statistics for
each rule (including permit rules) and enables you to limit the number of syslog messages produced.
Alternatively, you can disable all logging for a given rule.
When you enable logging for message 106100, if a packet matches an ACE, the ASA creates a flow entry
to track the number of packets received within a specific interval. The ASA generates a syslog message
at the first hit and at the end of each interval, identifying the total number of hits during the interval and
the time stamp for the last hit. At the end of each interval, the ASA resets the hit count to 0. If no packets
match the ACE during an interval, the ASA deletes the flow entry. When you configure logging for a
rule, you can control the interval and even the severity level of the log message, per rule.
A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source
port might differ for a new connection between the same two hosts, you might not see the same flow
increment because a new flow was created for the connection.
Содержание ASA 5508-X
Страница 11: ...P A R T 1 Access Control ...
Страница 12: ......
Страница 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...
Страница 157: ...P A R T 2 Network Address Translation ...
Страница 158: ......
Страница 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...
Страница 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...
Страница 233: ...P A R T 3 Service Policies and Application Inspection ...
Страница 234: ......
Страница 379: ...P A R T 4 Connection Management and Threat Detection ...
Страница 380: ......
Страница 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...
Страница 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...