Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to identify NATted private host

My IPS tells me a private-address (10.1.x.x) host in my network is the source of a virus detected at the IPS outside my ASA 5510 firewall. But all the IPS sees is the ASA's public address as source of the packet, and the destination IP. If I try to log all Informational events to Syslog the ASA warns me it may run out of memory and hang. So I'm trying to identify a particular event or events I can log and look back at after being notified by the PIS, that will hold clues to which private host is resonsible. There are several Build and Teardown connection events. IPS support tells me the IPS drops the packets. Will those dropped packets generate any particular event that I can log? Any other suggestions about how to identify the culprit?

Cisco Employee

Re: How to identify NATted private host

collect the output of this command to a text file and go through it and see if you find any 10.1.x.x has established way too many tcp or udp connections through this firewall.

sh local | i host|count/limit

New Member

Re: How to identify NATted private host

thanks. That does show me a suspect. I see I can then detail the connections for that IP, and might verify the culprit. But I'm also looking for a way to look back, in case the connections are gone by the time I'm notified. I'm trying sending all TCP Connections Built to my syslog server - Event 302013. I'll watch that it doesn't use too much disk - so far about a MB in 30 minutes; or drag down the ASA, but it's just shipping more records to the syslog server.

CreatePlease login to create content