16-18
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 16 Identifying Traffic with Access Lists
Logging Access List Activity
hostname(config-time-range)# periodic weekdays 8:00 to 18:00
Applying the Time Range to an ACE
To apply the time range to an ACE, use the following command:
hostname(config)# access-list access_list_name [extended] {deny | permit}...[time-range
name]
See the “Adding an Extended Access List” section on page 16-5 for complete access-list command
syntax.
Note If you also enable logging for the ACE, use the log keyword before the time-range keyword. If you
disable the ACE using the inactive keyword, use the inactive keyword as the last keyword.
The following example binds an access list named “Sales” to a time range named “New_York_Minute.”
hostname(config)# access-list Sales line 1 extended deny tcp host 209.165.200.225 host
209.165.201.1 time-range New_York_Minute
Logging Access List Activity
This section describes how to configure access list logging for extended access lists and Webtype access
lists.
This section includes the following topics:
• Access List Logging Overview, page 16-18
• Configuring Logging for an Access Control Entry, page 16-19
• Managing Deny Flows, page 16-20
Access List Logging Overview
By default, when traffic is denied by an extended ACE or a Webtype ACE, the security appliance
generates system message 106023 for each denied packet, in the following form:
%ASA|PIX-4-106023: Deny protocol src [interface_name:source_address/source_port] dst
interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_id
If the security appliance is attacked, the number of system messages for denied packets can be very large.
We recommend that you instead enable logging using system message 106100, which provides statistics
for each ACE and lets you limit the number of system messages produced. Alternatively, you can disable
all logging.
Note Only ACEs in the access list generate logging messages; the implicit deny at the end of the access list
does not generate a message. If you want all denied traffic to generate messages, add the implicit ACE
manually to the end of the access list, as follows.
To Next Page
Loading...
Need help?
General