cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
708
Views
0
Helpful
2
Replies

Best practice for keeping XLATE history

wsanders1
Level 1
Level 1

Management wants to keep a permanent record of the xlate table so they can track down inside (private) IP addresses when we are sent DMCA violation letters.

Eventually, we will have converted about 1500 inside hosts to private address space.

Has anyone got a best practice for doing this?

Xlate creation and destruction doesn't seem to get logged in syslog and I don't see any traps or MIB entries off the top of my head in http://supportwiki.cisco.com/ViewWiki/index.php/SNMP_MIBs_and_Traps_on_the_ASA_-_Additional_Information. FWSM seems to have a "NAT-MIB" but not ASA.

I suppose we could just log in to the device and so a "show xlate" periodically.

2 Replies 2

suschoud
Cisco Employee
Cisco Employee

You can use the CISCO-UNIFIED-FIREWALL-MIB to get the concurrent connection

info .

Unfortunately there¹s no xlate MIB currently.

Snipet of info you can get from CISCO-UNIFIED-FIREWALL-MIB :

ConnectionStat ::= TEXTUAL-CONVENTION

STATUS current

DESCRIPTION

"This textual convention is used to describe various

connections statistics.

other : A generic connection event.

totalOpen : Total open connections since reboot.

currentOpen : The number of connections currently open.

currentClosing : The number of connections currently closing.

currentHalfOpen : The number of connections currently

half-open.

currentInUse : The number of connections currently in use.

high : The highest number of connections in use at

any one time since system startup."

ciscoFirewallMIBNotificationGroupRev1 NOTIFICATION-GROUP

NOTIFICATIONS {

cfwSecurityNotification,

cfwContentInspectNotification,

cfwConnNotification,

cfwAccessNotification,

cfwAuthNotification,

cfwGenericNotification

sh conn info. is always better then sh xlate.

Plz rate if helps.

rEGARds,

Sushil

jperloff
Level 1
Level 1

On the ASA, XLATE builds and connections are captured.

If you send syslog messages numbers 305009 through 305012 and/or 305013 through 305016 to a syslog server and save it, you can capture the data. Perhaps not in the easier form to deal with, but it is there and is searchable.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: