How to track NAT xlate entries (ASA5550, 7.2)

Unanswered Question
Sep 23rd, 2009
User Badges:

Management wants to track our xlate table (NAT) history. The ASA does not seem to have the CISCO-IETF-NAT-MIB SNMP MIB and there do not seem to be any SNMP traps generated by xlate entry creation to removal, so the only way to do this seems to be to just log in to the box with an expect script and capture the output of "show xlate" every hour or so.


Has anyone come up with a better approach than this for the ASA? Thanks -w

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Wed, 09/23/2009 - 10:58
User Badges:
  • Cisco Employee,

I am not sure if there is an OID for this.


If you are looking to archive the x-late creation perhaps you can save the syslogs


Sep 23 2009 14:53:00: %ASA-6-305011: Built dynamic TCP translation from inside:192.168.2.2/3498 to outside:172.18.254.34/8779


The following in particular for building translation for a particular host on the inside to the outside.


Here is the syslog link for the ASA 7.2

http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/syslog.html


wsanders1 Wed, 09/23/2009 - 14:04
User Badges:

Thanks for finding those syslog messages for me - I was searching for "NAT", "xlate" ,etc. I'm going to keep using expect. To get those entries logged I'd have to enable Info-level syslog and that is just too much stuff. Doesn't look like I can override individual messages on with "logging message 305011" like I can disable them with "no logging message 305011".

Actions

This Discussion