Cisco ASA – Using ‘logging’ to see what ports are being blocked


KB ID 0000702 Dtd 30/10/12


If you look after a firewall, sooner or later something will fail, and the blame (rightly or wrongly), will be leveled at the firewall. I came back from holiday this week to find a client had got a problem with secure POP email. The problem had been fixed (temporarily) by dropping the affected users into a group, and opening all ports. As this had fixed the problem then it's fair to say that the ASA was the root cause of the problem.

So I was asked to take a look and open the correct ports and lock the firewall back down again.


Step 1 - Setting up logging on the ASA

I'm going to do some real time testing, so the internal buffer on the ASA will hold enough logs for me, if you have an intermittent problem you might want to setup an external syslog server. I'm going to set the log buffer size, and the logging level, and finally turn logging on.

User Access Verification    Password:  Type help or '?' for a list of available commands.  PetesASA> enable  Password: *******  PetesASA# conf t  PetesASA(config) logg buffer-size 4096  PetesASA(config)# logg buffered 7  PetesASA(config)# logg on

Step 2 - Attempt communication

At this point I got the client to attempt connection to the secure POP server, then had a look at the logs. I could view the whole log with 'show logg', but I filtered it down just to include traffic to and from this client (

Note: The ports being used are highlighted in red, (YES I know that these are the ports required for secure POP, but your application could be using anything!)

PetesASA(config)# show logg | inc    %ASA-4-106023: Deny tcp src inside: dst outside: by access-group "outbound" [0x911f757b, 0x0]  %ASA-4-106023: Deny tcp src inside: dst outside: by access-group "outbound" [0x911f757b, 0x0]  %ASA-4-106023: Deny tcp src inside: dst outside: by access-group "outbound" [0x911f757b, 0x0]  %ASA-4-106023: Deny tcp src inside: dst outside: by access-group "outbound" [0x911f757b, 0x0]

Step 3 - Open the Ports required

There are a few ways of doing this. I just created some network objects, then if any other hosts need secure POP, I can simply add them to the object group.

PetesASA(config)object-group service SPOP-Ports tcp  PetesASA(config-service)# port-object eq 995  PetesASA(config-service)# port-object eq 25  PetesASA(config-service)# object-group network SPOP-Hosts  PetesASA(config-network)# network-object host  PetesASA(config-network)# exit  PetesASA(config)access-list outbound extended permit tcp object-group SPOPHosts any object-group SPOP-Ports  PetesASA(config)access-group outbound in interface inside

WARNING: This assumes you DON'T have an outbound traffic access list. If you DO replace the word 'outbound' with the name of yours. Also remember as soon as you allow traffic like this all other traffic gets blocked!

Step 4 - Disable Logging

Simply prefix your earlier command with the word 'no'.

PetesASA(config)# no logg on

Related Articles, References, Credits, or External Links


Author: Migrated

Share This Post On