How to identify NATted private host

Unanswered Question
Jun 18th, 2009

My IPS tells me a private-address (10.1.x.x) host in my network is the source of a virus detected at the IPS outside my ASA 5510 firewall. But all the IPS sees is the ASA's public address as source of the packet, and the destination IP. If I try to log all Informational events to Syslog the ASA warns me it may run out of memory and hang. So I'm trying to identify a particular event or events I can log and look back at after being notified by the PIS, that will hold clues to which private host is resonsible. There are several Build and Teardown connection events. IPS support tells me the IPS drops the packets. Will those dropped packets generate any particular event that I can log? Any other suggestions about how to identify the culprit?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Thu, 06/18/2009 - 06:27

collect the output of this command to a text file and go through it and see if you find any 10.1.x.x has established way too many tcp or udp connections through this firewall.

sh local | i host|count/limit

mcmurphytoo Thu, 06/18/2009 - 10:51

thanks. That does show me a suspect. I see I can then detail the connections for that IP, and might verify the culprit. But I'm also looking for a way to look back, in case the connections are gone by the time I'm notified. I'm trying sending all TCP Connections Built to my syslog server - Event 302013. I'll watch that it doesn't use too much disk - so far about a MB in 30 minutes; or drag down the ASA, but it's just shipping more records to the syslog server.

Actions

This Discussion