Filter
Top Products
CHAPTER
20-1
Cisco ASA 5500 Series Configuration Guide using the CLI
20
Configuring Logging for Access Lists
This chapter describes how to configure access list logging for extended access lists and Webytpe access
lists, and it describes how to manage deny flows.
This chapter includes the following sections:
• Configuring Logging for Access Lists, page 20-1
• Managing Deny Flows, page 20-5
Configuring Logging for Access Lists
This section includes the following topics:
• Information About Logging Access List Activity, page 20-1
• Licensing Requirements for Access List Logging, page 20-2
• Guidelines and Limitations, page 20-2
• Default Settings, page 20-3
• Configuring Access List Logging, page 20-3
• Monitoring Access Lists, page 20-4
• Configuration Examples for Access List Logging, page 20-4
• Feature History for Access List Logging, page 20-5
Information About Logging Access List Activity
By default, when traffic is denied by an extended ACE or a Webtype ACE, the ASA generates syslog
message 106023 for each denied packet in the following form:
%ASA|PIX-4-106023: Deny protocol src [interface_name:source_address/source_port] dst
interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_id
If the ASA is attacked, the number of syslog messages for denied packets can be very large. We
recommend that you instead enable logging using syslog message 106100, which provides statistics for
each ACE and enables you to limit the number of syslog messages produced. Alternatively, you can
disable all logging.