Interfacciamento Cisco ASA con Suse Linux
1. Configurazione asa
logging enable
logging timestamp
logging list gianrico level notifications class auth
logging list gianrico level notifications class ip
logging list gianrico level notifications class vpdn
logging list gianrico level notifications class vpn
logging trap gianrico
logging asdm informational
logging facility 23
logging queue 0
logging host inside 10.10.2.203
logging permit-hostdown
mtu inside 1500
clock timezone GMT +1
ntp server 192.168.30.50
2. Configurazione SUSE
2.1 Editare il file syslog-ng.conf.in
server:/var/log # cd /etc/syslog-ng/
server/etc/syslog-ng # ls
syslog-ng.conf syslog-ng.conf.in
#
# uncomment to process log messages from network:
#
udp(ip("0.0.0.0") port(514));
...
#
# Filter definitions
#
filter f_cisco {facility(local7);};
...
destination ciscoasa { file("/var/log/ciscoasa");};
log { source(src); filter(f_cisco); destination(ciscoasa);};
...
2.2 Allineare i file del syslog e riavviarlo
SuSEconfig --module syslog-ng
service syslog restart
2.3 Verificare il riempimento del file ciscoasa
3 Troubleshooting
Nel Cisco asa la facility si configura numericamente. La corrispondenza con il syslog del linux si ha dalla seguente tabella.
| ASA / PIX Facility | Syslog Facility |
|---|---|
| 16 | LOCAL0 |
| 17 | LOCAL1 |
| 18 | LOCAL2 |
| 19 | LOCAL3 |
| 20 | LOCAL4 |
| 21 | LOCAL5 |
| 22 | LOCAL6 |
| 23 | LOCAL7 |
ASA di default usa 20 (LOCAL4).
Se c'e' il firewall potrebbe bloccare l'accesso al syslog da parte dell'asa:
/sbin/SuSEfirewall2 stop
logging trap informational <-- a livello piu' basso non spuntano le notifiche
sugli accessi
Here, the severity level is set to level (0 to 7): emergencies
(0), alerts (1),
critical (2), errors (3),
warnings (4), notifications (5),
informational (6), or debugging
(7). The higher the level, the more messages (and types of
messages) that are generated.
ccmc-asa# show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is cd32fba7.d91441e1 (18:21:43.847 GMT Tue Feb 3 2009)
clock offset is 18.7467 msec, root delay is 0.20 msec
root dispersion is 7914.43 msec, peer dispersion is 7893.16 msec
PIX 7.x provides these predefined classes of logging messages:
Utilizzare il comando "logging list" per fare in modo di mandare al syslog server solo i messaggi voluti
Esempio di accesso da vpnclient
Feb 3 18:59:20 10.10.2.1 %ASA-5-713130: Group = USERNAME, Username = USERNAME2,
IP = 88.88.88.88, Received unsupported transaction mode attribute: 5
Feb 3 18:59:20 10.10.2.1 %ASA-3-713119: Group = USERNAME, Username = USERNAME2,
IP = 88.88.88.88, PHASE 1 COMPLETED
Feb 3 18:59:20 10.10.2.1 %ASA-5-713075: Group = USERNAME, Username = USERNAME2,
IP = 88.88.88.88, Overriding Initiator's IPSec rekeying duration from 2147483 to
28800 seconds
Feb 3 18:59:20 10.10.2.1 %ASA-5-713049: Group = USERNAME, Username = USERNAME2,
IP = 88.88.88.88, Security negotiation complete for User (USERNAME) Responder,
Inbound SPI = 0x880c99f2, Outbound SPI = 0xb55c46c6
Feb 3 18:59:20 10.10.2.1 %ASA-5-713120: Group = USERNAME, Username = USERNAME2,
IP = 88.88.88.88, PHASE 2 COMPLETED (msgid=585b139b)
Feb 3 18:59:31 10.10.2.1 %ASA-5-713050: Group = USERNAME, Username = USERNAME2,
IP = 88.88.88.88, Connection terminated for peer USERNAME. Reason: Peer
Terminate Remote Proxy 192.168.55.10, Local Proxy 0.0.0.0
Feb 3 18:59:31 10.10.2.1 %ASA-4-113019: Group = USERNAME, Username = USERNAME2,
IP = 88.88.88.88, Session disconnected. Session Type: IPsecOverNatT, Duration:
0h:00m:30s, Bytes xmt: 0, Bytes rcv: 3027, Reason: User Requested
Feb 3 18:59:31 10.10.2.1 %ASA-5-713904: IP = 88.88.88.88, Received encrypted
packet with no matching SA, dropping