Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA PAT Question

Hi all

when adding a PAT rule on my asa to PAT to the outside Ip of my firewall for internet traffic, Im just monitoring the logs whilst users go on the internet. It appears that I dont see the actual destination they are trying to get to but the IP of the interface I am translating to, is this right ? I would expect to see the real IP of the websites they are going to.

cheers

Carl

4 REPLIES
Super Bronze

Re: Cisco ASA PAT Question

Hi,

If the ASA "logging" configuration hasnt been used to disable or change the level of some Syslog messages and provided that your ASA is set to log at the correct level THEN you should be both seeing the messages that indicate a building and teardown of a connection through the ASA. You would also be seeing the building and teardown messages of the translations for those connections.

So you could start by checking your "logging" configuration with the command

show run logging

This should tell us if the logging levels are appropriate and that the log message IDs that you are looking for haven't disabled or their level hasnt been changed.

- Jouni

New Member

Cisco ASA PAT Question

Hi

I am seeing the logs fine, but the destination im seeing is the outside of my interface and not the real web site IP they are going to

any ideas ?

Super Bronze

Cisco ASA PAT Question

Hi,

Well, usually if you see a log message that states your public IP address as the destination then you are looking at a log message about the translation, not about the actual connection.

As an example one connections/translation building from my own ASA (with changed IP addresses ofcourse)

%ASA-6-305011: Built dynamic TCP translation from any:10.0.0.100/46064 to WAN:1.1.1.1/46064

%ASA-6-302013: Built outbound TCP connection 4585 for WAN:2.2.2.2/443 (2.2.2.2/443) to LAN:10.0.0.100/46064 (1.1.1.1/46064)

Where

  • 1.1.1.1 = My "WAN" interface public IP address
  • 2.2.2.2 = Destination IP address for my HTTPS connection

- Jouni

Super Bronze

Cisco ASA PAT Question

Hi,

Can you see the above type of messages logged for your connections on the ASA?

They should be showing if your logging is otherwise in default settings and the logging level is set to Informational atleast.

- Jouni

182
Views
0
Helpful
4
Replies