03-16-2010 09:26 AM - edited 03-11-2019 10:22 AM
Hi all. I was wondering is there any better way to view all active connections from IP addresses that are going over the firewall than using show conn command? Or better yet a sum of all connections associated with an IP address?
The thing is that today I saw large increase of inbound traffic on the ASA outside interface but using sh conn command couldn't attribute any one IP on our network with increased number of connections(the largest was an IP with some 40 connections). Last time I used this command we caught one of our users downloading a bunch of files from all over the internet using a P2P program and I saw pages and pages of connections to his IP from the outside.
We are using Cisco ASA 5510 with asa706-k8.bin.
Thanks for any help.
Solved! Go to Solution.
03-17-2010 05:45 AM
You can also use "show local-host" command, and it will group connection output from each ip address:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s4.html#wp1447764
03-16-2010 09:40 AM
Hi,
Still using the sh conn command, you can use it like this:
sh conn address x.x.x.x
To view all connections from IP x.x.x.x
Also, the command allows to view just the connections from the address with an specific state or view all connections from that IP but detailed:
sh conn address x.x.x.x state ?
sh conn address x.x.x.x detail
Also, the command sh local-host x.x.x allows to view all transactions from that particular IP (XLATES and CONNS)
Federico.
03-17-2010 04:19 AM
That works fine if you know the IP adress you are dealing with. That is to say you have already identified the problematic IP. What I'm trying to find is how to find a problematic IP from let's say 150 active IPs on the ASA by looking at their connections? If you just type show conn you have to list through all the hosts until you stumble upon the problematic IP.
03-17-2010 05:40 AM
If you were running 8.2 you could enable Netflow. See the link below:
https://supportforums.cisco.com/docs/DOC-6113;jsessionid=09C4A6E010BFAC1E940F04533B590ECE.node0
Alternatively you could enable Netflow on your Internet facing router and pump the data to a Netflow collector like Manage Engine.
It's excellent for finding people who are using the Corporate Internet for private use, eg listening to Internet Radio stations and file sharing.
03-17-2010 05:45 AM
You can also use "show local-host" command, and it will group connection output from each ip address:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s4.html#wp1447764
03-17-2010 08:54 AM
I think that "show local-host" is the command I was looking for. It shows the local hosts and their connections, xlates and most importantly it shows the sum per type of connection(TCP, UDP, ...).
Thanks for the command.
03-17-2010 08:58 AM
Glad that the command works for you.
The sh local-host x.x.x.x was in the first post already (maybe you didn't see it).
Federico.
03-17-2010 09:04 AM
Federico,
I didn't see it in the first reply. Thanks for the help.
03-17-2010 02:51 PM
Great to hear and thanks for the update.
10-11-2016 09:08 AM
I know this is an old post, I had issues with my ASA supposedly having an IP Address assigned to it which killed my static assignment on my server. Your show local-host got me in the correct direction to be able to fix the issue and get my server back up! I really appreciate sharing your knowledge.
Thanks Again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide