Tracking Natted IPs

Unanswered Question
Oct 24th, 2008

What is the easiest way to log what private IP used a Natted public IP at specific window of time. We recently were informed that address 174.103.12.45 (within the scope of our public addresses) was scanning ports on a network.

We have an ASDM 5.2 in place.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ricey Fri, 10/24/2008 - 04:50

from the firewall console (in enable) mode enter the command show xlate

That will show all the current address translations.

Hope that helps.

kellyrudnick Fri, 10/24/2008 - 05:19

How about logging one that occured several hours before. How can you enable logging to track translations from a previos period of time?

Thanks for your help.

ricey Fri, 10/24/2008 - 05:54

You could enable logging at the firewall (and forwarding the logs to a syslog server if you have one.) If you set the logging level to informational that will generate alerts as the example below which has both the inside private and public addresses used.

ASA-6-302013: Built outbound TCP connection 94225810 for outside:64.233.183.147/80 (64.233.183.147/80) to inside:10.160.42.68/4057 (12.12.12.129/43498)

To set the logging at this level and to forward to a syslog server enter the following in config mode.

logging enable

logging trap informational

logging host inside x.x.x.x (inside being the interface associate with the NW where the logging server is and x.x.x.x being the ip address of the logging server.

Please note: this could generate an awful lot of logging information.

Actions

This Discussion