Show real ip in ASA5520 log|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||||||||
|
Posted by Roberto Bazzano on November 26, 2008, 7:45 am
Please log in for more thread options
I have a Cisco ASA5520 firmware version 7.2(2) and NAT enabled. When some inbound traffic is dropped, in the ASDM log window I see the outside interface IP address as destination IP address. Is there a way to display the internal real, natted, IP as destination ip address, so that I know exactly where the traffic was destined to? Thank you very much. Roberto Bazzano | ||||||||||||||||||||||
|
Posted by Trendkill on November 26, 2008, 11:35 am
Please log in for more thread options I am not an ASA guru, but if the drop is occurring on the external side, I seriously doubt there is any way to determine the internal IP since the actual external session is with that external address. I presume you are doing many-to-one NAT, so running a sniffer on the inside or monitoring one of the internal boxes is probably the only way to see who is being cut-off. Additionally, non-initiated traffic (not requested from one of your internal boxes) would not have a nat'ed destination unless you do port forwarding or one-to-one NAT. There are some folks on the board with heavy experience here, quite possible they know something I do not.... | ||||||||||||||||||||||
|
Posted by Roberto Bazzano on November 26, 2008, 5:01 pm
Please log in for more thread options >I am not an ASA guru, but if the drop is occurring on the external
>side, I seriously doubt there is any way to determine the internal IP >since the actual external session is with that external address. I >presume you are doing many-to-one NAT, so running a sniffer on the >inside or monitoring one of the internal boxes is probably the only >way to see who is being cut-off. Additionally, non-initiated traffic >(not requested from one of your internal boxes) would not have a >nat'ed destination unless you do port forwarding or one-to-one NAT. >There are some folks on the board with heavy experience here, quite >possible they know something I do not.... Hello. I can be more specific about the problem now, because I discovered exactly what happened by using other means. As you told, I'm doing many-to-one NAT. There was a client in the internal network that was sending connections to a few hosts on the internet on port 12000 (a virus? trojan? p2p? I'm still not sure). These hosts answer with a ICMP port unreachable message. The problem is that in the ASDM log, the destination IP of these icmp messages is the firewall outside interface ip, and not the internal natted host ip. So it's impossible to identify what internal host is sending out this traffic, even if the icmp answers are caused by an outgoing connection that is natted. Any idea? Thank you very much. Roberto Bazzano | ||||||||||||||||||||||
|
Posted by Chris on November 27, 2008, 11:54 am
Please log in for more thread options
> So it's impossible to identify what internal host is sending out this
> traffic, even if the icmp answers are caused by an outgoing connection > that is natted. > > Any idea? > > Thank you very much. > > Roberto Bazzano > > The response back to your firewall is to the real IP address. The host on the internet doesn't know about your inside private network. It just sees the connections coming from the PAT address of the firewall. The best best would be to block the outgoing trojan port (and update the security on all your inside hosts!). Chris. | ||||||||||||||||||||||
|
Posted by Roberto Bazzano on December 1, 2008, 12:28 pm
Please log in for more thread options > The response back to your firewall is to the real IP address. The host on
> the internet doesn't know about your inside private network. It just sees > the connections coming from the PAT address of the firewall. I know it, but the firewall knows what is the nat connection that originated that answer, so it should display the internal address in the log also. That's what i would like to do, but i'm not able to do it... > The best best would be to block the outgoing trojan port (and update the
> security on all your inside hosts!). Yes, but that's not the main point here. The point is to display the internal address that is the destination of that answer (due to nat translation), and not only to display the outside address. The firewall should have all the infos to do it. Thank you. Roberto Bazzano | ||||||||||||||||||||||
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |
> I have a Cisco ASA5520 firmware version 7.2(2) and NAT enabled.
> When some inbound traffic is dropped, in the ASDM log window I see the
> outside interface IP address as destination IP address.
> Is there a way to display the internal real, natted, IP as destination ip
> address, so that I know exactly where the traffic was destined to?
>
> Thank you very much.
>
> Roberto Bazzano