cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
289
Views
0
Helpful
2
Replies

How to identify NATted private host

mcmurphytoo
Level 1
Level 1

My IPS tells me a private-address (10.1.x.x) host in my network is the source of a virus detected at the IPS outside my ASA 5510 firewall. But all the IPS sees is the ASA's public address as source of the packet, and the destination IP. If I try to log all Informational events to Syslog the ASA warns me it may run out of memory and hang. So I'm trying to identify a particular event or events I can log and look back at after being notified by the PIS, that will hold clues to which private host is resonsible. There are several Build and Teardown connection events. IPS support tells me the IPS drops the packets. Will those dropped packets generate any particular event that I can log? Any other suggestions about how to identify the culprit?

2 Replies 2

Kureli Sankar
Cisco Employee
Cisco Employee

collect the output of this command to a text file and go through it and see if you find any 10.1.x.x has established way too many tcp or udp connections through this firewall.

sh local | i host|count/limit

thanks. That does show me a suspect. I see I can then detail the connections for that IP, and might verify the culprit. But I'm also looking for a way to look back, in case the connections are gone by the time I'm notified. I'm trying sending all TCP Connections Built to my syslog server - Event 302013. I'll watch that it doesn't use too much disk - so far about a MB in 30 minutes; or drag down the ASA, but it's just shipping more records to the syslog server.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: