ASA Firewall Behavior and Logging

I had a very interesting experience today with my Check ASA 5506X. I have been working on migrating about 15 virtual severs I run to a new sever VLAN to include my Graylog logging sever which actively collected all my syslogs across the network. I had chosen a new IP address and updated the server with new IP address. Soon after doing so I noticed that I had lost Internet connectivity.

I had┬áchecked DNS and my routing and everything checked out. After some hair-pulling I jumped into my ASA and began poking around. I knew I hadn’t changed anything on the fw but decided to run a packet-tracer check to see what the results of a normal flow out of my ASA into the Internet would result in. It failed. Correlating my recent activities to my current issue the only common denominator was the syslog server in which my ASA was configured to use. I decided to remove the logging configuration and low and behold my Internet returned. I consulted Cisco’s latest guidance and found that this is expected behavior be default if a connection to a logging source becomes broken.

The recommended approach going forward would be to remove the logging config before change IP addresses on yoru log server OR to add the configuration the would prevent this action on the ASA. This is a natural security concern as any malicious intruder would look to erase any tracks of his/her misgivings and in doing so would kill their intrusion into your organizations fw. I opted to disable this security mechanism and contend with the fail-open regarding logging.

Environment:

Cisco ASA 5506X running 9.8(1)

Steps:

(config)# logging permit-hostdown

Leave a Reply

Your email address will not be published. Required fields are marked *