Hello. I have a Cisco ASA5520 firmware version 7.2(2) and NAT enabled. When some inbound traffic is dropped, in the ASDM log window I see the outside interface IP address as destination IP address. Is there a way to display the internal real, natted, IP as destination ip address, so that I know exactly where the traffic was destined to?
I am not an ASA guru, but if the drop is occurring on the external side, I seriously doubt there is any way to determine the internal IP since the actual external session is with that external address. I presume you are doing many-to-one NAT, so running a sniffer on the inside or monitoring one of the internal boxes is probably the only way to see who is being cut-off. Additionally, non-initiated traffic (not requested from one of your internal boxes) would not have a nat'ed destination unless you do port forwarding or one-to-one NAT. There are some folks on the board with heavy experience here, quite possible they know something I do not....
Hello. I can be more specific about the problem now, because I discovered exactly what happened by using other means.
As you told, I'm doing many-to-one NAT. There was a client in the internal network that was sending connections to a few hosts on the internet on port 12000 (a virus? trojan? p2p? I'm still not sure). These hosts answer with a ICMP port unreachable message. The problem is that in the ASDM log, the destination IP of these icmp messages is the firewall outside interface ip, and not the internal natted host ip. So it's impossible to identify what internal host is sending out this traffic, even if the icmp answers are caused by an outgoing connection that is natted.
The response back to your firewall is to the real IP address. The host on the internet doesn't know about your inside private network. It just sees the connections coming from the PAT address of the firewall. The best best would be to block the outgoing trojan port (and update the security on all your inside hosts!).
I know it, but the firewall knows what is the nat connection that originated that answer, so it should display the internal address in the log also. That's what i would like to do, but i'm not able to do it...
Yes, but that's not the main point here. The point is to display the internal address that is the destination of that answer (due to nat translation), and not only to display the outside address. The firewall should have all the infos to do it.
Just so i get this right. You want to know who on "your" internal LAN the packets are srcing from, or you want to know the private address that the "hacker" is srcing from?
i will try to help out on both topics just to cover all basis.
Do you have ACL's both inbound and outbound? your not going to get the private address of the traffic returning to your network because the header is going to show the Internet IP address they are Nating.
To find the internal src on your local lan you can do this 2 ways. 1 was already suggested. Create a outbound ACL and make sure you type "log" at the end of the ACL entry to block the ip and port of the offending traffic. then from the console just type sho log.
Option 2. Stop looking at the firewall and start looking at your switches. Enable a management port and then download your favorite packet sniffer. Create a custom filter to only capture the offending traffic type. Your packet capture will have both source and destination ip and mac addreses that you can then use to find the offending computers on your local LAN.
I understand I may not have actually answered your original question but I hope I did you a better service of solving your ultimate issue.
By the way my ASA does show both source and destination ip addresses. Outbound traffic shows local LAN address and destination public address. Inbound from the internet only shows source and destination Internet addresses. i use "names" to help me figure out what the public ip's NAt to.