Show real ip in ASA5520 log

Discussion in 'Cisco' started by Roberto Bazzano, Nov 26, 2008.

  1. Hello.
    I have a Cisco ASA5520 firmware version 7.2(2) and NAT enabled.
    When some inbound traffic is dropped, in the ASDM log window I see the
    outside interface IP address as destination IP address.
    Is there a way to display the internal real, natted, IP as destination ip
    address, so that I know exactly where the traffic was destined to?

    Thank you very much.

    Roberto Bazzano
    Roberto Bazzano, Nov 26, 2008
    #1
    1. Advertising

  2. Roberto Bazzano

    Trendkill Guest

    On Nov 26, 7:45 am, "Roberto Bazzano" <> wrote:
    > Hello.
    > I have a Cisco ASA5520 firmware version 7.2(2) and NAT enabled.
    > When some inbound traffic is dropped, in the ASDM log window I see the
    > outside interface IP address as destination IP address.
    > Is there a way to display the internal real, natted, IP as destination ip
    > address, so that I know exactly where the traffic was destined to?
    >
    > Thank you very much.
    >
    > Roberto Bazzano


    I am not an ASA guru, but if the drop is occurring on the external
    side, I seriously doubt there is any way to determine the internal IP
    since the actual external session is with that external address. I
    presume you are doing many-to-one NAT, so running a sniffer on the
    inside or monitoring one of the internal boxes is probably the only
    way to see who is being cut-off. Additionally, non-initiated traffic
    (not requested from one of your internal boxes) would not have a
    nat'ed destination unless you do port forwarding or one-to-one NAT.
    There are some folks on the board with heavy experience here, quite
    possible they know something I do not....
    Trendkill, Nov 26, 2008
    #2
    1. Advertising

  3. Roberto Bazzano

    alexd Guest

    Chris wrote:

    > The response back to your firewall is to the real IP address. The host on
    > the internet doesn't know about your inside private network. It just sees
    > the connections coming from the PAT address of the firewall. The best best
    > would be to block the outgoing trojan port


    ....and make sure you're logging on that rule so you'll be able to see
    who/what it was.

    --
    <http://ale.cx/> (AIM:troffasky) ()
    20:22:33 up 13 days, 23:16, 2 users, load average: 0.02, 0.05, 0.02
    They call me titless because I have no tits
    alexd, Nov 27, 2008
    #3
  4. > The response back to your firewall is to the real IP address. The host on
    > the internet doesn't know about your inside private network. It just sees
    > the connections coming from the PAT address of the firewall.


    I know it, but the firewall knows what is the nat connection that originated
    that answer, so it should display the internal address in the log also.
    That's what i would like to do, but i'm not able to do it...

    > The best best would be to block the outgoing trojan port (and update the
    > security on all your inside hosts!).


    Yes, but that's not the main point here.
    The point is to display the internal address that is the destination of that
    answer (due to nat translation), and not only to display the outside
    address.
    The firewall should have all the infos to do it.

    Thank you.
    Roberto Bazzano
    Roberto Bazzano, Dec 1, 2008
    #4
  5. Roberto Bazzano

    Techno_Guy Guest

    On Dec 1, 12:28 pm, "Roberto Bazzano" <> wrote:
    > > The response back to your firewall is to the real IP address. The host on
    > > the internet doesn't know about your inside private network. It just sees
    > > the connections coming from the PAT address of the firewall.

    >
    > I know it, but the firewall knows what is the nat connection that originated
    > that answer, so it should display the internal address in the log also.
    > That's what i would like to do, but i'm not able to do it...
    >
    > > The best best would be to block the outgoing trojan port (and update the
    > > security on all your inside hosts!).

    >
    > Yes, but that's not the main point here.
    > The point is to display the internal address that is the destination of that
    > answer (due to nat translation), and not only to display the outside
    > address.
    > The firewall should have all the infos to do it.
    >
    > Thank you.
    > Roberto Bazzano


    Just so i get this right. You want to know who on "your" internal LAN
    the packets are srcing from, or you want to know the private address
    that the "hacker" is srcing from?

    i will try to help out on both topics just to cover all basis.

    Do you have ACL's both inbound and outbound?
    your not going to get the private address of the traffic returning to
    your network because the header is going to show the Internet IP
    address they are Nating.

    To find the internal src on your local lan you can do this 2 ways. 1
    was already suggested. Create a outbound ACL and make sure you type
    "log" at the end of the ACL entry to block the ip and port of the
    offending traffic. then from the console just type sho log.

    Option 2. Stop looking at the firewall and start looking at your
    switches. Enable a management port and then download your favorite
    packet sniffer. Create a custom filter to only capture the offending
    traffic type. Your packet capture will have both source and
    destination ip and mac addreses that you can then use to find the
    offending computers on your local LAN.

    I understand I may not have actually answered your original question
    but I hope I did you a better service of solving your ultimate issue.

    By the way my ASA does show both source and destination ip addresses.
    Outbound traffic shows local LAN address and destination public
    address. Inbound from the internet only shows source and destination
    Internet addresses. i use "names" to help me figure out what the
    public ip's NAt to.

    Steve
    Techno_Guy, Dec 2, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    668
  2. Replies:
    2
    Views:
    941
    Its me Earnest T.
    Aug 18, 2007
  3. cjhoser
    Replies:
    0
    Views:
    945
    cjhoser
    Feb 1, 2008
  4. persepolis77

    ASA5520 VPN Client cannot ping Internet

    persepolis77, Aug 1, 2008, in forum: Cisco
    Replies:
    0
    Views:
    533
    persepolis77
    Aug 1, 2008
  5. essenz

    physical interfaces on ASA5520

    essenz, Mar 26, 2009, in forum: Cisco
    Replies:
    1
    Views:
    1,264
    Andrey Tarasov
    Mar 26, 2009
Loading...

Share This Page