Finding the original ip behind ACNS

Unanswered Question
Sep 9th, 2010
User Badges:

Hi All,




           I was looking at some of http logs and found the ACNS is initiating a connect to the internet, but it looks like ACNS acts like a proxy, which means some other host behind this ACNS is intitiating the connection, can somebody help me on how to find the original ip who initiated this connection? or is there a way to find out the original host who initiated the connection through ACNS?




Thanks,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Pablo Fri, 09/10/2010 - 08:21
User Badges:
  • Cisco Employee,

Hi,


You're right ACNS is a proxy solution so most likely all the request trying to go out will be seen sourced from the ACNS "outside/routable" IP address.


If you want to find out the who the original request is you can enable the x-forwarder-for so that the WAE/CE will inject the IP address into a new header, this feature works for HTTP traffic only.


The command to enable it is:


http append x-forwarded-for-header


Now if you're the WAE/CE admin and want to monitor all the request going through you need to enable the transactional logging that would allow you to log traffic for all the protocols that you're proxy'ing on the box.


To enable transactional logging you need to enter this commands:


CE(config)#transaction-logs enable

CE# transaction-log force archive


Once they've been applied wait for a few seconds while some traffic goes through the box and then check the following file


/local1/logs/working.log


You'll see that each message looks like the one below:


987816643.766 116 10.1.1.5 TCP_MISS/0 1468 GET http://www.cisco.com/images*


Hope this helps.

__ __

Pablo

exploit_haxor Wed, 09/15/2010 - 03:57
User Badges:

Hi,


      Thanks a lot this was really helpful.........i can see some of the log file in this directory "/local1/logs", is there a way to download the log files to my machine?.....and also is there a easy way to find (like grep in unix) out the log entrires for particular domain  from the log file?.... for example: if i want to find out all the entries in the log file for www.google.com, how can i do it?


Thanks,

Pablo Thu, 09/16/2010 - 09:55
User Badges:
  • Cisco Employee,

Hi,


There's no grep on ACNS but the include command will help you to accomplish this:


WAE-#type-tail working.log | inc www.google.com


About the log downloading there's a nice trick using FTP and IE,


Go to your CE/WAE and enable the FTP service with this command:


CE(config)# inetd enable ftp


Then from a PC that can access the CE open IE and do ftp://X.X.X.X <------ CE IP address.


It would prompt you for authentication here use the username and password you use normally on the CE.


Once you're in go to View> Open FTP Site using internet explorer


This would allow you to surf through the folders and get the logs you need


HTH.

__ __

Pablo

Actions

This Discussion