In article , Scott Townsend wrote: ;Is there a way to log which outside IPs are used for the Inside IPs so I can ;look back and see who was using what IP and when??
The theoretical answer is to put your log level up to 6 and look at the "Built ... translation" messages such as %PIX-6-305011 .
The practical answer is to put your log level up to 6 and look at the "Built .. connection" messages such as %PIX-6-302013 . The connection messages are more detailed and less ambiguous than the translation messages.
On the other hand, the translation messages are all you have to go on if anything other than TCP or UDP is going on -- you don't get connection messages for icmp or GRE or whatever. If you want to see those other protocols, you can add the 'log' keyword to the end of the ACL entry that permits them. To avoid getting flooded with those messages, I suggest that in cases where you would normally permit 'ip', that you explicitly permit 'tcp' and 'udp' without the 'log' keyword [and use the PIX-6-302013 messages for those], then use the 'log' keyword on a following permit 'ip' entry.
Another trick: if you don't want to log all of the level 6 stuff, then you can use the 'logging message' command with a message number in order to modify the level it is generated at. For example, you could
logging message 302013 level 4
and then you'd only have to send up to level 4 to your syslog in order to receive those particular messages. This technique is useful if there are just a small number of level 6 events you are interested in.