Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1172
Views
0
Helpful
5
Replies

NAT monitoring / syslog

keller.oliver
Level 1
Level 1

‎02-01-2010 09:01 AM - edited ‎03-11-2019 10:03 AM

Hi all,

I try to analyze a complex PIX config and would like to analyze the NAT usage. There are ALL variations of NATing in it, therefore I get static, dynamic, nat exemption etc.

I can see how I could trace down dynamic NAT (by counting "built dynamic TCP translation" in the syslog data) and ACL-based NAT (via acl counters).

Any idea how to trace static NAT usage und exemption / nat 0 usage ?  As a last ressort, permit ACLs would be an idea (and then have counters on them), but I´d like a more comfortable way.

Any hints on tools are welcome as well, currently I test FireGen which looks quite nice and is affordable.

Later,

Oliver

Labels:
0 Helpful
5 Replies 5

Panos Kampanakis
Cisco Employee
Cisco Employee

‎02-01-2010 02:25 PM

I am not sure what the exact question is.

If you want to see what xlates are being used you can get the output of command "sh xlate detail".

Also, if the PIX is running later versions (not 6.3) you can run a packet tracer for a packet to see how it is going to be translated (packet-tracer command.

I hope it helps.

PK

0 Helpful

keller.oliver
Level 1
Level 1
In response to Panos Kampanakis

‎02-03-2010 06:11 AM

Hi PK,

this question is about how to analyse which NAT statements are used and how often. (or unused). The config is quite complex and I suspect there are some NAT ways that were not intended and others that are not needed any more.

Therefore, I´d like to have a report on NAT usage, like it is available on ACL usage (counters or via some tools like Firemon).

For dynamic NAT, I get syslog data that can be filtered for the corresponding expressions, so if I count them, this gives me a (complicated) way to get the info I want. For static, I can see that NAT rules are established, but I can´t see if there is data flowing across these NATs, i.e. if they are used at all.

Since there are hundreds of static entries, permit ACLs with counters are possible, but not really something I´d like to do .

Is there any tool liek Firegen or other log analysis tool that gathers statistic data about NAT usage ?

Later,

Oliver

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to keller.oliver

‎02-03-2010 06:33 AM

Hmm interesting question.

I believe just like the built dynamic translation syslog you can follow this syslog

Feb 03 2010 09:04:01: %ASA-6-302013: Built inbound TCP connection 165172 for outside:10.117.14.69/51132 (10.117.14.69/51132) to inside:192.168.2.2/5900 (172.18.254.34/5900)

305011: Built static TCP translation from inside:192.168.41.10/8501 to outside:a.b.c.d/80

This one is for static.

Grep for syslog 302013 and 305011and see how of this your firewall logs in a day.

-KS

0 Helpful

keller.oliver
Level 1
Level 1
In response to Kureli Sankar

‎02-04-2010 12:48 AM

I guess it´s time to reanimate my perl knowledge .

Right now I´m evaluating FireGen and Sawmill, since we´re on a budget we can´t spend a lot of money. Any other useful tools for syslogging PIXes and getting information out of the logdata ?

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to keller.oliver

‎02-04-2010 06:08 AM

There is Cisco MARS that can do a lot with syslogs generate reports etc. But it is not free

I think you won't avoid writing perl again...

PK

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card