Firewall – How to find which natted private IP address is communicating on Cisco ASA 5508

cisco-asafirewallSecurity

Normally we are facing abnormal traffic targeting specific servers. My question is How can I know which private IP address is targeted since we are using Dynamic NAT on Cisco ASA 5508 Firewall?

Regards

Best Answer

I'm not entirely sure if I understand your question, but I believe you want to take a look at the show xlate command.

For example:

myfirewall1/act/pri# show xlate
732 in use, 3000 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from inside:172.16.8.0/24, 172.16.5.0/24, 172.17.60.0/24,
  172.17.10.0/24, 172.17.50.0/24, 172.16.4.0/24,
  172.16.6.0/24, 172.16.7.0/24, 172.17.40.0/24,
  172.17.30.0/24 to outside:172.16.8.0/24, 172.16.5.0/24,
  172.17.60.0/24, 172.17.10.0/24, 172.17.50.0/24,
  172.16.4.0/24, 172.16.6.0/24, 172.16.7.0/24,
  172.17.40.0/24, 172.17.30.0/24
  flags sIT idle 0:00:00 timeout 0:00:00

[output cut...]

TCP PAT from inside:172.16.8.54/53008 to outside:177.36.241.90/53008 flags ri idle 0:32:23 timeout 0:00:30
TCP PAT from inside:172.16.4.52/20592 to outside:177.36.241.90/20592 flags ri idle 0:14:26 timeout 0:00:30
TCP PAT from inside:172.16.6.61/49776 to outside:177.36.241.90/49776 flags ri idle 0:00:16 timeout 0:00:30
TCP PAT from inside:172.16.6.61/63274 to outside:177.36.241.90/63274 flags ri idle 0:53:37 timeout 0:00:30
...
...

You can pipe the output to include to filter on the IP addresses in question:

myfirewall1/act/pri# show xlate | include 172.16.5.56
TCP PAT from inside:172.16.5.56/59970 to outside:177.36.241.72/59970 flags ri idle 0:00:05 timeout 0:00:30
TCP PAT from inside:172.16.5.56/59958 to outside:177.36.241.72/59958 flags ri idle 0:00:29 timeout 0:00:30
TCP PAT from inside:172.16.5.56/59914 to outside:177.36.241.72/59914 flags ri idle 0:00:54 timeout 0:00:30

Or you can narrow the scope with the global, gport, interface, local, lport options.

ncapfw1/act/pri# show xlate ?

  count      Show translation count
  global     Enter this keyword to specify global ip range
  gport      Enter this keyword to specify global port(s)
  interface  Enter this keyword to specify an interface
  local      Enter this keyword to specify local ip range
  lport      Enter this keyword to specify local port(s)
  type       Enter this keyword to specify xlate type
  |          Output modifiers
  <cr>
myfirewall1/act/pri#
myfirewall1/act/pri#    
myfirewall1/act/pri# show xlate global 177.36.241.72
863 in use, 3000 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net

TCP PAT from inside:172.16.5.61/38464 to outside:177.36.241.72/38464 flags ri idle 0:29:30 timeout 0:00:30
TCP PAT from inside:172.16.5.61/36269 to outside:177.36.241.72/36269 flags ri idle 0:29:30 timeout 0:00:30
TCP PAT from inside:172.16.5.61/57396 to outside:177.36.241.72/57396 flags ri idle 0:29:33 timeout 0:00:30
TCP PAT from inside:172.16.5.61/42706 to outside:177.36.241.72/42706 flags ri idle 0:55:22 timeout 0:00:30
...
...

Hope this helps!

Related Topic