NAT monitoring / syslog

Unanswered Question
Feb 1st, 2010
User Badges:

Hi all,


I try to analyze a complex PIX config and would like to analyze the NAT usage. There are ALL variations of NATing in it, therefore I get static, dynamic, nat exemption etc.


I can see how I could trace down dynamic NAT (by counting "built dynamic TCP translation" in the syslog data) and ACL-based NAT (via acl counters).


Any idea how to trace static NAT usage und exemption / nat 0 usage ?  As a last ressort, permit ACLs would be an idea (and then have counters on them), but I´d like a more comfortable way.


Any hints on tools are welcome as well, currently I test FireGen which looks quite nice and is affordable.



Later,


Oliver

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Mon, 02/01/2010 - 14:25
User Badges:
  • Cisco Employee,

I am not sure what the exact question is.


If you want to see what xlates are being used you can get the output of command "sh xlate detail".

Also, if the PIX is running later versions (not 6.3) you can run a packet tracer for a packet to see how it is going to be translated (packet-tracer command.


I hope it helps.


PK

keller.oliver Wed, 02/03/2010 - 06:11
User Badges:

Hi PK,


this question is about how to analyse which NAT statements are used and how often. (or unused). The config is quite complex and I suspect there are some NAT ways that were not intended and others that are not needed any more.


Therefore, I´d like to have a report on NAT usage, like it is available on ACL usage (counters or via some tools like Firemon).


For dynamic NAT, I get syslog data that can be filtered for the corresponding expressions, so if I count them, this gives me a (complicated) way to get the info I want. For static, I can see that NAT rules are established, but I can´t see if there is data flowing across these NATs, i.e. if they are used at all.


Since there are hundreds of static entries, permit ACLs with counters are possible, but not really something I´d like to do .



Is there any tool liek Firegen or other log analysis tool that gathers statistic data about NAT usage ?



Later,


Oliver

Kureli Sankar Wed, 02/03/2010 - 06:33
User Badges:
  • Cisco Employee,

Hmm interesting question.


I believe just like the built dynamic translation syslog you can follow this syslog


Feb 03 2010 09:04:01: %ASA-6-302013: Built inbound TCP connection 165172 for outside:10.117.14.69/51132 (10.117.14.69/51132) to inside:192.168.2.2/5900 (172.18.254.34/5900)


305011: Built static TCP translation from inside:192.168.41.10/8501 to outside:a.b.c.d/80


This one is for static.


Grep for syslog 302013 and 305011and see how of this your firewall logs in a day.


-KS

keller.oliver Thu, 02/04/2010 - 00:48
User Badges:

I guess it´s time to reanimate my perl knowledge .


Right now I´m evaluating FireGen and Sawmill, since we´re on a budget we can´t spend a lot of money. Any other useful tools for syslogging PIXes and getting information out of the logdata ?

Panos Kampanakis Thu, 02/04/2010 - 06:08
User Badges:
  • Cisco Employee,

There is Cisco MARS that can do a lot with syslogs generate reports etc. But it is not free


I think you won't avoid writing perl again...


PK

Actions

This Discussion