Cisco ASA – Using ‘logging’ to see what ports are being blocked

KB ID 0000702 

Problem

If you look after a firewall, sooner or later something will fail, and the blame (rightly or wrongly), will be leveled at the firewall. I came back from holiday this week to find a client had got a problem with secure POP email. The problem had been fixed (temporarily) by dropping the affected users into a group, and opening all ports. As this had fixed the problem then it’s fair to say that the ASA was the root cause of the problem.

So I was asked to take a look and open the correct ports and lock the firewall back down again.

Solution

Step 1 – Setting up logging on the ASA

I’m going to do some real time testing, so the internal buffer on the ASA will hold enough logs for me, if you have an intermittent problem you might want to setup an external syslog server. I’m going to set the log buffer size, and the logging level, and finally turn logging on.

[box]User Access Verification

Password:
Type help or ‘?’ for a list of available commands.
PetesASA> enable
Password: *******
PetesASA# conf t
PetesASA(config) logg buffer-size 4096
PetesASA(config)# logg buffered 7
PetesASA(config)# logg on[/box]

Step 2 – Attempt communication

At this point I got the client to attempt connection to the secure POP server, then had a look at the logs. I could view the whole log with ‘show logg’, but I filtered it down just to include traffic to and from this client (192.168.1.2).

Note: The ports being used are highlighted in red, (YES I know that these are the ports required for secure POP, but your application could be using anything!)

[box]PetesASA(config)# show logg | inc 192.168.1.2

%ASA-4-106023: Deny tcp src inside:192.168.1.2/49279 dst outside:123.123.123.1231/995 by access-group “outbound” [0x911f757b, 0x0]
%ASA-4-106023: Deny tcp src inside:192.168.1.2/49280 dst outside:123.123.123.1231/995 by access-group “outbound” [0x911f757b, 0x0]
%ASA-4-106023: Deny tcp src inside:192.168.1.2/49281 dst outside:123.123.123.1231/25 by access-group “outbound” [0x911f757b, 0x0]
%ASA-4-106023: Deny tcp src inside:192.168.1.2/49282 dst outside:123.123.123.1231/25 by access-group “outbound” [0x911f757b, 0x0][/box]

Step 3 – Open the Ports required

There are a few ways of doing this. I just created some network objects, then if any other hosts need secure POP, I can simply add them to the object group.

[box]PetesASA(config)object-group service SPOP-Ports tcp
PetesASA(config-service)# port-object eq 995
PetesASA(config-service)# port-object eq 25
PetesASA(config-service)# object-group network SPOP-Hosts
PetesASA(config-network)# network-object host 192.168.1.2
PetesASA(config-network)# exit
PetesASA(config)access-list outbound extended permit tcp object-group SPOPHosts any object-group SPOP-Ports
PetesASA(config)access-group outbound in interface inside
[/box]

WARNING: This assumes you DON’T have an outbound traffic access list. If you DO replace the word ‘outbound’ with the name of yours. Also remember as soon as you allow traffic like this all other traffic gets blocked!

Step 4 – Disable Logging

Simply prefix your earlier command with the word ‘no’.

[box]PetesASA(config)# no logg on[/box]

Related Articles, References, Credits, or External Links

NA