Best practice for keeping XLATE history

Unanswered Question
Aug 26th, 2009

Management wants to keep a permanent record of the xlate table so they can track down inside (private) IP addresses when we are sent DMCA violation letters.

Eventually, we will have converted about 1500 inside hosts to private address space.

Has anyone got a best practice for doing this?

Xlate creation and destruction doesn't seem to get logged in syslog and I don't see any traps or MIB entries off the top of my head in http://supportwiki.cisco.com/ViewWiki/index.php/SNMP_MIBs_and_Traps_on_the_ASA_-_Additional_Information. FWSM seems to have a "NAT-MIB" but not ASA.

I suppose we could just log in to the device and so a "show xlate" periodically.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
suschoud Wed, 08/26/2009 - 17:11

You can use the CISCO-UNIFIED-FIREWALL-MIB to get the concurrent connection

info .

Unfortunately there¹s no xlate MIB currently.

Snipet of info you can get from CISCO-UNIFIED-FIREWALL-MIB :

ConnectionStat ::= TEXTUAL-CONVENTION

STATUS current

DESCRIPTION

"This textual convention is used to describe various

connections statistics.

other : A generic connection event.

totalOpen : Total open connections since reboot.

currentOpen : The number of connections currently open.

currentClosing : The number of connections currently closing.

currentHalfOpen : The number of connections currently

half-open.

currentInUse : The number of connections currently in use.

high : The highest number of connections in use at

any one time since system startup."

ciscoFirewallMIBNotificationGroupRev1 NOTIFICATION-GROUP

NOTIFICATIONS {

cfwSecurityNotification,

cfwContentInspectNotification,

cfwConnNotification,

cfwAccessNotification,

cfwAuthNotification,

cfwGenericNotification

sh conn info. is always better then sh xlate.

Plz rate if helps.

rEGARds,

Sushil

jperloff Fri, 08/28/2009 - 12:33

On the ASA, XLATE builds and connections are captured.

If you send syslog messages numbers 305009 through 305012 and/or 305013 through 305016 to a syslog server and save it, you can capture the data. Perhaps not in the easier form to deal with, but it is there and is searchable.

Actions

This Discussion