Finding the original ip behind ACNS

Unanswered Question
Sep 9th, 2010

Hi All,

           I was looking at some of http logs and found the ACNS is initiating a connect to the internet, but it looks like ACNS acts like a proxy, which means some other host behind this ACNS is intitiating the connection, can somebody help me on how to find the original ip who initiated this connection? or is there a way to find out the original host who initiated the connection through ACNS?

Thanks,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Pablo Fri, 09/10/2010 - 08:21

Hi,

You're right ACNS is a proxy solution so most likely all the request trying to go out will be seen sourced from the ACNS "outside/routable" IP address.

If you want to find out the who the original request is you can enable the x-forwarder-for so that the WAE/CE will inject the IP address into a new header, this feature works for HTTP traffic only.

The command to enable it is:

http append x-forwarded-for-header

Now if you're the WAE/CE admin and want to monitor all the request going through you need to enable the transactional logging that would allow you to log traffic for all the protocols that you're proxy'ing on the box.

To enable transactional logging you need to enter this commands:

CE(config)#transaction-logs enable

CE# transaction-log force archive

Once they've been applied wait for a few seconds while some traffic goes through the box and then check the following file

/local1/logs/working.log

You'll see that each message looks like the one below:

987816643.766 116 10.1.1.5 TCP_MISS/0 1468 GET http://www.cisco.com/images*

Hope this helps.

__ __

Pablo

exploit_haxor Wed, 09/15/2010 - 03:57

Hi,

      Thanks a lot this was really helpful.........i can see some of the log file in this directory "/local1/logs", is there a way to download the log files to my machine?.....and also is there a easy way to find (like grep in unix) out the log entrires for particular domain  from the log file?.... for example: if i want to find out all the entries in the log file for www.google.com, how can i do it?

Thanks,

Pablo Thu, 09/16/2010 - 09:55

Hi,

There's no grep on ACNS but the include command will help you to accomplish this:

WAE-#type-tail working.log | inc www.google.com

About the log downloading there's a nice trick using FTP and IE,

Go to your CE/WAE and enable the FTP service with this command:

CE(config)# inetd enable ftp

Then from a PC that can access the CE open IE and do ftp://X.X.X.X <------ CE IP address.

It would prompt you for authentication here use the username and password you use normally on the CE.

Once you're in go to View> Open FTP Site using internet explorer

This would allow you to surf through the folders and get the logs you need

HTH.

__ __

Pablo

Actions

This Discussion