Show real ip in ASA5520 log

Discussion in 'Cisco' started by Roberto Bazzano, Nov 26, 2008.

  1. Hello.
    I have a Cisco ASA5520 firmware version 7.2(2) and NAT enabled.
    When some inbound traffic is dropped, in the ASDM log window I see the
    outside interface IP address as destination IP address.
    Is there a way to display the internal real, natted, IP as destination ip
    address, so that I know exactly where the traffic was destined to?

    Thank you very much.

    Roberto Bazzano
    Roberto Bazzano, Nov 26, 2008
    1. Advertisements

  2. Roberto Bazzano

    Trendkill Guest

    I am not an ASA guru, but if the drop is occurring on the external
    side, I seriously doubt there is any way to determine the internal IP
    since the actual external session is with that external address. I
    presume you are doing many-to-one NAT, so running a sniffer on the
    inside or monitoring one of the internal boxes is probably the only
    way to see who is being cut-off. Additionally, non-initiated traffic
    (not requested from one of your internal boxes) would not have a
    nat'ed destination unless you do port forwarding or one-to-one NAT.
    There are some folks on the board with heavy experience here, quite
    possible they know something I do not....
    Trendkill, Nov 26, 2008
    1. Advertisements

  3. Roberto Bazzano

    alexd Guest

    ....and make sure you're logging on that rule so you'll be able to see
    who/what it was.
    alexd, Nov 27, 2008
  4. The response back to your firewall is to the real IP address. The host on
    I know it, but the firewall knows what is the nat connection that originated
    that answer, so it should display the internal address in the log also.
    That's what i would like to do, but i'm not able to do it...
    Yes, but that's not the main point here.
    The point is to display the internal address that is the destination of that
    answer (due to nat translation), and not only to display the outside
    The firewall should have all the infos to do it.

    Thank you.
    Roberto Bazzano
    Roberto Bazzano, Dec 1, 2008
  5. Roberto Bazzano

    Techno_Guy Guest

    Just so i get this right. You want to know who on "your" internal LAN
    the packets are srcing from, or you want to know the private address
    that the "hacker" is srcing from?

    i will try to help out on both topics just to cover all basis.

    Do you have ACL's both inbound and outbound?
    your not going to get the private address of the traffic returning to
    your network because the header is going to show the Internet IP
    address they are Nating.

    To find the internal src on your local lan you can do this 2 ways. 1
    was already suggested. Create a outbound ACL and make sure you type
    "log" at the end of the ACL entry to block the ip and port of the
    offending traffic. then from the console just type sho log.

    Option 2. Stop looking at the firewall and start looking at your
    switches. Enable a management port and then download your favorite
    packet sniffer. Create a custom filter to only capture the offending
    traffic type. Your packet capture will have both source and
    destination ip and mac addreses that you can then use to find the
    offending computers on your local LAN.

    I understand I may not have actually answered your original question
    but I hope I did you a better service of solving your ultimate issue.

    By the way my ASA does show both source and destination ip addresses.
    Outbound traffic shows local LAN address and destination public
    address. Inbound from the internet only shows source and destination
    Internet addresses. i use "names" to help me figure out what the
    public ip's NAt to.

    Techno_Guy, Dec 2, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.