At this point you have a very simple configuration on the ASA. The inside, outside and dmz interfaces have been configured and sessions are allowed from the inside interface to the less secure dmz and outside interfaces without the use of NAT. Also, NTP and Syslog have been configured. The NTP functionality was verified when it was configured. In this section of the lab you will verify inside to dmz connectivity and you will verify Syslog services.
L2-9 © Global Knowledge Training LLC
14. Use the pre-defined PHP-Kiwi link to connect to the PHP-Kiwi service running on the Security Server. When challenged for authentication use admin and admin$Pwd for credentials.
Note Kiwi produces a very respected syslog server for Windows systems. There is a freely
distributable version and a licensed version. The licensed version is required to integrate Kiwi with relational database systems. The Security Server is running the licensed Kiwi Syslog server and it is integrated with the freely distributable MySQL and PHP-Kiwi packages. These allow web based access to the Kiwi Syslog database.
14.1. PHP-Kiwi is configured to auto-refresh the display once every 60 seconds. The auto-
refresh can be toggled on and off here . A manual refresh can also be
completed at any time using the browser’s refresh button . Wait one minute for the
refresh cycle to complete, there should be several severity 6 and severity 7 messages displayed. Investigate the Syslog messages:
x You should see several 72500x messages associated with SSL negotiations.
x You should see some 605005 messages indicating login of the user admin via
https.
x You should see some 111009 messages indicating that the user admin executed
the command show access-list brief.
Note While ASDM is running, whether it is actively being used by a person or not, will handshake with the ASA approximately every 30 seconds. These messages are associated with this behavior.
x There are likely to be other messages besides those specified above.
15. Test inside to dmz connectivity and verify TCP connection auditing. You will establish an SSH connection from the Admin PC to the DMZ Server and then quickly refresh the Syslog display. The connection should be successful and it should be recorded with a Syslog message. You will then exit the SSH session and again quickly refresh the Syslog display. You should see the connection termination is also recorded with a Syslog message. 15.1. On the Admin PC, launch PuTTY.
15.2. In PuTTY, double click on the DMZ Server entry. Log in to the DMZ Server as
15.3. In the PHP-Kiwi interface, perform a manual refresh of the browser. You should see a message similar to the following:
%ASA-6-302013: Built outbound TCP connection 242 for
dmz:172.16.1.15/22 (172.16.1.15/22) to inside:10.10.10.10/19587 (10.10.10.10/19587)
Note This syslog message indicates a new TCP connection. The real and translated addresses
and ports are indicated (they happen to be the same in this case because NAT is not in use). Note, TCP port 22 is normally used for SSH.
15.4. In PuTTY, enter the exit command to terminate the SSH session and quickly execute the next step.
15.5. Again, in the PHP-Kiwi interface, perform a manual refresh of the browser. You should see a message similar to the following:
%ASA-6-302014: Teardown TCP connection 242 for dmz:172.16.1.15/22 to inside:10.10.10.10/19587 duration 0:05:31 bytes 3324 TCP FINs
Note As soon as the TCP FIN exchange completes, the ASA knows the TCP connection is terminated. It records the fact with a Syslog message and immediately removes the connection from its state table.
Note The TCP connection number specified in this message matches the connection number specified in the previously highlighted message.
16. Finding particular Syslog messages of interest can be quite tedious, especially when examining severity 6 and 7 messages from Cisco security appliances! Most Syslog servers have at least some filtering capabilities to help you find what you are looking for.
Demonstrate this with PHP-Kiwi:
16.1. In PHP-Kiwi, click Filter .
16.1.1.Under Filter Lists, click Add Filter. Filter (1) should now be added to the list. 16.1.2.At the bottom of the page, define the Message Filter section as follows:
x Select Include list.
x Enter 302013 and 302014 on separate lines in the Message Filter box.
16.1.3.Click Save.
L2-11 © Global Knowledge Training LLC
16.3. Change the Applied Filter to Filter (1) .
Note Now the display should be much less busy. The only messages displayed are for TCP connection initiation and termination.
Note There will be more than just the messages associated with the SSH connection that you just demonstrated. There should be pairs of messages spaced approximately 30 seconds apart associated with the SSL connections made by ASDM to the ASA itself.
17. While some organizations are required to audit all network sessions leaving their networks, we don’t need to be at this level in the lab environment. Modify the Syslog configuration so only severity 4 Syslog messages (Warnings) and above are sent to the Syslog server.
17.1. Return to ASDM. You should still be under Configuration > Device Management >
Logging.
17.2. Select Logging Filters.
17.3. Select the Syslog Servers row and click Edit.
17.4. Filter on severity should already be selected, change the setting to Warnings, and click OK.
17.5. Click Apply.
17.6. The following command should be displayed in the Preview CLI Commands window. Examine the commands shown. If they appear correct, click Send. If not, click Cancel and retrace your steps to determine the underlying issue.
logging trap Warnings
18. Verify the logging settings change: 18.1. Return to PHP-Kiwi.
18.2. Wait about 40 seconds and manually refresh the browser. Verify that there are no new severity 7, 6 or 5 messages.