11-09-2009 08:23 AM - edited 02-21-2020 03:47 AM
Hi,
We have a PIX-525 running 6.3.5 that is configured for our DMZ & Internet firewall.
e0 = Internet
e1 = DMZ
e2 = LAN
We have a number of static NATs configured for public facing servers and a PAT address for user Internet traffic.
I've been asked to find which internal hosts are consuming the most bandwidth on our network. I checked and it doesn't look like the PIX supports netflow.
Is there a way that I can export the "show xlate" output to a file and sort so as to find which host is being translated the most?
I read a post somewhere about turning logging up on the pix to informational and then review the syslogs for translations/connections being built. Not sure how that may work.
Is there a better way to do this? I'd like to script something if possible but have to admit I'm a noob when it comes to running/writing scripts.
Thanks for the help.
Pete
11-09-2009 09:30 AM
Pete-
You could do that, but it would be very time consuming. Netflow is the best way to monitor per IP usage. Do you have a router in the inside of your network?
11-09-2009 09:37 AM
Hi Collin.
Thanks for your reply.
We have a Cat6500 (which serves as our core switch) that is connected to this PIX-525. I'm currently using Plixer's Scrutinizer to monitor this switch and see the traffic.
This has shown to be helpful but I figured monitoring the firewall traffic would be the best place to see what's going on.
I also just tried turning up these syslog IDs so my syslog server would see connection setup/teardown info:
logging message 302009 level 4
logging message 302010 level 4
logging message 302013 level 4
logging message 302014 level 4
logging message 302015 level 4
logging message 302016 level 4
logging message 305010 level 4
logging message 305011 level 4
logging message 609001 level 4
logging message 609002 level 4
The problem appears now to be that we're generating so much syslog info that it's going past the 65536 row limit in Excel.
Pete
11-09-2009 09:41 AM
Yup! You'll want to write some sort of script to parse all that info (linux would be best if that's an option). Plixer should be giving you the info you're looking for. If you're monitoring the interface(s) to your firewall, then you're good to go. Are you seeing issues there?
11-09-2009 09:57 AM
Hi Collin,
We're seeing the traffic which is good but our main issue is the volume of traffic being seen. Ideally, we'd like to filter out stuff like LAN <--> DMZ and just see LAN <--> Internet
I guess it's more of a question now of how best to pull out just this information.
Thanks
Pete
11-09-2009 11:25 AM
I don't have Plixer, but can't you create a filter to remove DMZ traffic?
11-09-2009 11:40 AM
Hi Collin
I'm going through the Scrutinizer interface but haven't seen anything yet to filter the traffic.
Thaks for the help.
Pete
01-26-2010 09:57 AM
Hello,
We get quite a few calls on the NetFlow from the ASA. The NetFlow it exports is kind of unique. Check out this PDF:
http://www.plixer.com/files/netflow-on-the-asa-11-18-09.pdf
Thanks for considering Scrutinizer.
Jake
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: