Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PAT question

Our pix firewall is setup to use PAT for translating our internal users to a routable ip. We have the firewall using a syslog server. My question is if there is any way to track down who utilized a particular connection when going out through the firewall. Obviously, they all show up as the PAT address, but we need to drill down and see a particular connection going through it. Can this be done? I have not looked at the syslog yet, as our firewall is heavy hit and logs a huge amount in a short time and I don't want to chase something thats not there if I don't have to. Thanks

Cisco Employee

Re: PAT question

The syslog messages showing the building of UDP/TCP connections will show both the original source IP address and the PAT'd address, so this will tell you the info you want.

From the Logging messages reference (



Error Message %PIX-6-302013: Built {inbound|outbound} TCP connection number for interface_name:real_address/real_port (mapped_address/mapped_port) to interface_name:real_address/real_port (mapped_address/mapped_port) [(user)]

Explanation A TCP connection slot between two hosts was created.


connection number is a unique identifier.

interface, real_address, real_port identify the actual sockets.

mapped_address, mapped_port identify the mapped sockets.

user is the AAA name of the user.

If inbound is specified, then the original control connection was initiated from the outside. For example, for FTP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, then the original control connection was initiated from the inside