Solved: ASA 5510 viewing active connections

igor.hamzic · ‎03-16-2010

Hi all. I was wondering is there any better way to view all active connections from IP addresses that are going over the firewall than using show conn command? Or better yet a sum of all connections associated with an IP address?

The thing is that today I saw large increase of inbound traffic on the ASA outside interface but using sh conn command couldn't attribute any one IP on our network with increased number of connections(the largest was an IP with some 40 connections). Last time I used this command we caught one of our users downloading a bunch of files from all over the internet using a P2P program and I saw pages and pages of connections to his IP from the outside.

We are using Cisco ASA 5510 with asa706-k8.bin.

Thanks for any help.

Jennifer Halim · ‎03-17-2010

You can also use "show local-host" command, and it will group connection output from each ip address:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s4.html#wp1447764

View solution in original post

Federico Coto Fajardo · ‎03-16-2010

Hi,

Still using the sh conn command, you can use it like this:

sh conn address x.x.x.x

To view all connections from IP x.x.x.x

Also, the command allows to view just the connections from the address with an specific state or view all connections from that IP but detailed:

sh conn address x.x.x.x state ?

sh conn address x.x.x.x detail

Also, the command sh local-host x.x.x allows to view all transactions from that particular IP (XLATES and CONNS)

Federico.

igor.hamzic · ‎03-17-2010

That works fine if you know the IP adress you are dealing with. That is to say you have already identified the problematic IP. What I'm trying to find is how to find a problematic IP from let's say 150 active IPs on the ASA by looking at their connections? If you just type show conn you have to list through all the hosts until you stumble upon the problematic IP.

sean_evershed · ‎03-17-2010

If you were running 8.2 you could enable Netflow. See the link below:

https://supportforums.cisco.com/docs/DOC-6113;jsessionid=09C4A6E010BFAC1E940F04533B590ECE.node0

Alternatively you could enable Netflow on your Internet facing router and pump the data to a Netflow collector like Manage Engine.

It's excellent for finding people who are using the Corporate Internet for private use, eg listening to Internet Radio stations and file sharing.

Jennifer Halim · ‎03-17-2010

You can also use "show local-host" command, and it will group connection output from each ip address:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s4.html#wp1447764

igor.hamzic · ‎03-17-2010

I think that "show local-host" is the command I was looking for. It shows the local hosts and their connections, xlates and most importantly it shows the sum per type of connection(TCP, UDP, ...).

Thanks for the command.

Federico Coto Fajardo · ‎03-17-2010

Glad that the command works for you.

The sh local-host x.x.x.x was in the first post already (maybe you didn't see it).

Federico.

igor.hamzic · ‎03-17-2010

Federico,

I didn't see it in the first reply. Thanks for the help.

Jennifer Halim · ‎03-17-2010

Great to hear and thanks for the update.

dbonham802 · ‎10-11-2016

I know this is an old post, I had issues with my ASA supposedly having an IP Address assigned to it which killed my static assignment on my server. Your show local-host got me in the correct direction to be able to fix the issue and get my server back up! I really appreciate sharing your knowledge.

Thanks Again!