One-liners: simple ASA log parsers

Sometimes you do not need a detailed log-analysis but several simple one-liners that you can adjust without too much thinking how it works, what you did last time, etc. The examples below are absolutely NOT optimal, but rather modular for easy line-editing.

1. Allowed traffic:

cat   asa.log | grep permitted | grep access-list |
sed -e 's/^.*permitted//' -e 's/hit-cnt.*$//' |
sed -e 's/([0-9][0-9]*) ->/ ->/' | less

Result:

 tcp outside/10.2.8.30 -> inside/10.1.141.23(8080)
 tcp outside/10.2.8.30 -> inside/10.1.141.23(8080)
 tcp outside/10.2.8.35 -> inside/10.1.140.137(13000)
 udp outside/10.2.8.25 -> inside/10.1.9.14(137)
 udp outside/10.2.8.25 -> inside/10.1.81.15(137)
 tcp outside/10.2.8.44 -> inside/10.1.140.137(13000)
 tcp outside/10.2.8.31 -> inside/10.1.140.149(13000)

Noticed the “permitted” strings?

2. Denied traffic:

cat   asa.log | grep denied | grep access-list |
sed -e 's/^.*denied//' -e 's/hit-cnt.*$//' |
sed -e 's/([0-9][0-9]*) ->/ ->/' | less

Result:

 tcp inside/10.1.140.159 -> outside/10.2.8.24(515)
 tcp inside/10.1.140.159 -> outside/10.2.8.24(515)
 tcp inside/10.3.241.116 -> outside/10.2.8.251(1541)
 tcp inside/10.3.241.116 -> outside/10.2.8.251(1547)
 tcp inside/10.1.140.159 -> outside/10.2.8.24(515)

3. The most popular permitted traffic:

cat   asa.log | grep permitted | grep access-list | 
sed -e 's/^.*permitted//' -e 's/hit-cnt.*$//' |
sed -e 's/([0-9][0-9]*) ->/ ->/' |
awk ' {conn[$0]++;} END { for ( i in conn ) print conn[i],"	",i;}' | sort +0nr | less

Result (the first column is the amount of corresponding log entries):

21170   tcp outside/10.2.8.40 -> inside/10.1.140.149(13000)
18023   tcp outside/10.2.8.34 -> inside/10.1.140.149(13000)
17981   tcp outside/10.2.8.31 -> inside/10.1.140.149(13000)
11034   tcp inside/10.1.140.251 -> outside/10.2.8.68(10001)
10652   tcp outside/10.2.8.43 -> inside/10.1.140.137(13000)
10628   tcp outside/10.2.8.44 -> inside/10.1.140.137(13000)
10484   tcp outside/10.2.8.47 -> inside/10.1.140.137(13000)
10437   tcp outside/10.2.8.23 -> inside/10.1.140.137(13000)
7618   tcp outside/10.2.8.25 -> inside/10.1.140.137(13000)
7550   tcp outside/10.2.8.27 -> inside/10.1.140.137(13000)
7515   tcp outside/10.2.8.49 -> inside/10.1.140.137(13000)
7496   tcp outside/10.2.8.29 -> inside/10.1.140.137(13000)
6826   tcp outside/10.2.8.30 -> inside/10.1.141.23(8080)
6011   tcp outside/10.2.8.35 -> inside/10.1.140.137(13000)
5896   tcp outside/10.2.8.40 -> inside/10.1.141.23(8080)
5809   tcp outside/10.2.8.30 -> inside/10.1.140.137(13000)

4. Modification for versions 8.2+:

cat asa.log | grep Deny | grep access-group | sed -e 's/^.*Deny//' -e 's/by.*$//' | sed -e 's/dst/ ->/' -e 's/src//' | less

You can use this method to generate a policy based on the current traffic.

Additional “greps” will allow you to filter for specific ports or IP-addresses.

Replace “permitted” with “denied” and you’ll get the “most popular denied traffic”.

Encryption failure: Received a cleartext packet within an encrypted connection

Recently I’ve stumbled upon a strange looking site-to-site (CheckPoint R70 to Cisco VPN3k) VPN problem:

Connections from some networks were dropped with the following error:

Encryption failure: Received a cleartext packet within an encrypted connection

The first step was to check the encryption domains for the tunnel. In both GUI and /etc/fw/conf/user.def the encryption domain was the whole class B network, assigned to the company.

Next step was tracing.

Continue reading “Encryption failure: Received a cleartext packet within an encrypted connection”

CheckPoint Firewall policy parsers and converters