Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Best practice for keeping XLATE history

Unanswered Question
Aug 26th, 2009
User Badges:

Management wants to keep a permanent record of the xlate table so they can track down inside (private) IP addresses when we are sent DMCA violation letters.

Eventually, we will have converted about 1500 inside hosts to private address space.

Has anyone got a best practice for doing this?

Xlate creation and destruction doesn't seem to get logged in syslog and I don't see any traps or MIB entries off the top of my head in http://supportwiki.cisco.com/ViewWiki/index.php/SNMP_MIBs_and_Traps_on_the_ASA_-_Additional_Information. FWSM seems to have a "NAT-MIB" but not ASA.

I suppose we could just log in to the device and so a "show xlate" periodically.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
suschoud Wed, 08/26/2009 - 17:11
User Badges:
  • Gold, 750 points or more

You can use the CISCO-UNIFIED-FIREWALL-MIB to get the concurrent connection

info .

Unfortunately there¹s no xlate MIB currently.

Snipet of info you can get from CISCO-UNIFIED-FIREWALL-MIB :


STATUS current


"This textual convention is used to describe various

connections statistics.

other : A generic connection event.

totalOpen : Total open connections since reboot.

currentOpen : The number of connections currently open.

currentClosing : The number of connections currently closing.

currentHalfOpen : The number of connections currently


currentInUse : The number of connections currently in use.

high : The highest number of connections in use at

any one time since system startup."

ciscoFirewallMIBNotificationGroupRev1 NOTIFICATION-GROUP








sh conn info. is always better then sh xlate.

Plz rate if helps.



jperloff Fri, 08/28/2009 - 12:33
User Badges:

On the ASA, XLATE builds and connections are captured.

If you send syslog messages numbers 305009 through 305012 and/or 305013 through 305016 to a syslog server and save it, you can capture the data. Perhaps not in the easier form to deal with, but it is there and is searchable.


This Discussion