cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
343
Views
0
Helpful
4
Replies

Cisco ASA PAT Question

carl_townshend
Spotlight
Spotlight

Hi all

when adding a PAT rule on my asa to PAT to the outside Ip of my firewall for internet traffic, Im just monitoring the logs whilst users go on the internet. It appears that I dont see the actual destination they are trying to get to but the IP of the interface I am translating to, is this right ? I would expect to see the real IP of the websites they are going to.

cheers

Carl

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

If the ASA "logging" configuration hasnt been used to disable or change the level of some Syslog messages and provided that your ASA is set to log at the correct level THEN you should be both seeing the messages that indicate a building and teardown of a connection through the ASA. You would also be seeing the building and teardown messages of the translations for those connections.

So you could start by checking your "logging" configuration with the command

show run logging

This should tell us if the logging levels are appropriate and that the log message IDs that you are looking for haven't disabled or their level hasnt been changed.

- Jouni

Hi

I am seeing the logs fine, but the destination im seeing is the outside of my interface and not the real web site IP they are going to

any ideas ?

Hi,

Well, usually if you see a log message that states your public IP address as the destination then you are looking at a log message about the translation, not about the actual connection.

As an example one connections/translation building from my own ASA (with changed IP addresses ofcourse)

%ASA-6-305011: Built dynamic TCP translation from any:10.0.0.100/46064 to WAN:1.1.1.1/46064

%ASA-6-302013: Built outbound TCP connection 4585 for WAN:2.2.2.2/443 (2.2.2.2/443) to LAN:10.0.0.100/46064 (1.1.1.1/46064)

Where

  • 1.1.1.1 = My "WAN" interface public IP address
  • 2.2.2.2 = Destination IP address for my HTTPS connection

- Jouni

Hi,

Can you see the above type of messages logged for your connections on the ASA?

They should be showing if your logging is otherwise in default settings and the logging level is set to Informational atleast.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: