https://community.cisco.com/t5/network-security/firewall-logs/m-p/2149374#M358081 <P>Hi everyone.</P><P></P><P>Here are logs from the ASA when i open up google.com</P><P></P><P></P><P><BR /><SPAN>192.168.10.3 Apr 15 2013 20:28:55: %ASA-5-304001: 192.168.20.17 Accessed URL 74.125.28.94:</SPAN><A class="jive-link-external-small" href="http://www.google.ca/" target="_blank">http://www.google.ca/</A></P><P><BR />192.168.10.3 Apr 15 2013 20:28:54: %ASA-6-302013: Built outbound TCP connection 927882 for outside:74.125.28.94/80 (74.125.28.94/80) to Net:192.168.20.17/59525 (217.x.x.x/7436)</P><P><BR />192.168.10.3 Apr 15 2013 20:28:54: %ASA-6-305011: Built dynamic TCP translation from Net:192.168.20.17/59525 to outside:217.x.x.x/7436<BR />192.168.10.3 Apr 15 2013 20:28:54: %ASA-6-106100: access-list Net_001 permitted tcp Net/192.168.20.17(59525) -&gt; outside/74.125.28.94(80) hit-cnt 1 first hit [0x3b1e12a4, 0x0]</P><P><BR />192.168.10.3 Apr 15 2013 20:28:54: %ASA-6-302013: Built outbound TCP connection 927881 for outside:74.125.28.94/80 (74.125.28.94/80) to Net:192.168.20.17/59524 (217.x.x.x/7465)</P><P><BR />192.168.10.3 Apr 15 2013 20:28:54: %ASA-6-305011: Built dynamic TCP translation from Net:192.168.20.17/59524 to outside:217.x.x.x/7465<BR />192.168.10.3 Apr 15 2013 20:28:54: %ASA-6-106100: access-list Net_001 permitted tcp Net/192.168.20.17(59524) -&gt; outside/74.125.28.94(80) hit-cnt 1 first hit [0x3b1e12a4, 0x0]</P><P></P><P>Where 192.168.20.17 is my PC&nbsp; IP.</P><P>Net is interface on the ASA </P><P>IP 192.168.10.3 also belongs to ASA&nbsp; interface </P><P></P><P>Need to know whats IP 192.168.10.3 doing here in the ASA logs?</P><P>Also is the interface Net&nbsp; is ASA&nbsp; inside interface as it has name of Net and connection goes to outside?</P><P>which type of NAT is going on ASA?</P><P>Hope make sense </P><P></P><P>thanks</P><P></P><P>mahesh</P> Tue, 12 Mar 2019 01:29:30 GMT mahesh18 2019-03-12T01:29:30Z https://community.cisco.com/t5/network-security/firewall-logs/m-p/2149374#M358081 <P>Hi everyone.</P><P></P><P>Here are logs from the ASA when i open up google.com</P><P></P><P></P><P><BR /><SPAN>192.168.10.3 Apr 15 2013 20:28:55: %ASA-5-304001: 192.168.20.17 Accessed URL 74.125.28.94:</SPAN><A class="jive-link-external-small" href="http://www.google.ca/" target="_blank">http://www.google.ca/</A></P><P><BR />192.168.10.3 Apr 15 2013 20:28:54: %ASA-6-302013: Built outbound TCP connection 927882 for outside:74.125.28.94/80 (74.125.28.94/80) to Net:192.168.20.17/59525 (217.x.x.x/7436)</P><P><BR />192.168.10.3 Apr 15 2013 20:28:54: %ASA-6-305011: Built dynamic TCP translation from Net:192.168.20.17/59525 to outside:217.x.x.x/7436<BR />192.168.10.3 Apr 15 2013 20:28:54: %ASA-6-106100: access-list Net_001 permitted tcp Net/192.168.20.17(59525) -&gt; outside/74.125.28.94(80) hit-cnt 1 first hit [0x3b1e12a4, 0x0]</P><P><BR />192.168.10.3 Apr 15 2013 20:28:54: %ASA-6-302013: Built outbound TCP connection 927881 for outside:74.125.28.94/80 (74.125.28.94/80) to Net:192.168.20.17/59524 (217.x.x.x/7465)</P><P><BR />192.168.10.3 Apr 15 2013 20:28:54: %ASA-6-305011: Built dynamic TCP translation from Net:192.168.20.17/59524 to outside:217.x.x.x/7465<BR />192.168.10.3 Apr 15 2013 20:28:54: %ASA-6-106100: access-list Net_001 permitted tcp Net/192.168.20.17(59524) -&gt; outside/74.125.28.94(80) hit-cnt 1 first hit [0x3b1e12a4, 0x0]</P><P></P><P>Where 192.168.20.17 is my PC&nbsp; IP.</P><P>Net is interface on the ASA </P><P>IP 192.168.10.3 also belongs to ASA&nbsp; interface </P><P></P><P>Need to know whats IP 192.168.10.3 doing here in the ASA logs?</P><P>Also is the interface Net&nbsp; is ASA&nbsp; inside interface as it has name of Net and connection goes to outside?</P><P>which type of NAT is going on ASA?</P><P>Hope make sense </P><P></P><P>thanks</P><P></P><P>mahesh</P> Tue, 12 Mar 2019 01:29:30 GMT https://community.cisco.com/t5/network-security/firewall-logs/m-p/2149374#M358081 mahesh18 2019-03-12T01:29:30Z https://community.cisco.com/t5/network-security/firewall-logs/m-p/2149375#M358082 <HTML><HEAD></HEAD><BODY><P>Hi again,</P><P></P><P>the message "Built outbound" means that the connections is been built from LAN to WAN</P><P></P><P>If someone was conneting to some Static NAT IP address of server on your ASA then you would be seeing "Built inbound"</P><P></P><P>The interface IP address 192.168.10.3 in the logs is the IP address of the ASA interface that sends this log to the Syslog server. It doesnt have anything to do with the connection your host is taking to Google.</P><P></P><P>The message "Built Dynamic TCP translation" says that a Dynamic translation is being done through the ASA. Since the port of the NAT IP address doesnt match the real source port I would imagine were talking about Dynamic PAT. So the hosts connections are probably translated to the ASA "outside" interface IP address</P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Tue, 16 Apr 2013 17:45:36 GMT https://community.cisco.com/t5/network-security/firewall-logs/m-p/2149375#M358082 Jouni Forss 2013-04-16T17:45:36Z https://community.cisco.com/t5/network-security/firewall-logs/m-p/2149376#M358083 <HTML><HEAD></HEAD><BODY><P> Hi Jouni,</P><P></P><P>When i check config of interface with IP 192.168.10.3</P><P></P><P>it has ip address then it has standby 192.168.10.4</P><P>does it refer to standby ASA instead of syslog server?</P><P>Also it has ospf cost configured.</P><P></P><P></P><P>Also interface Net does it refer to ASA&nbsp; inside interface?</P><P></P><P>Thanks</P><P></P><P>MAhesh</P></BODY></HTML> Tue, 16 Apr 2013 18:07:50 GMT https://community.cisco.com/t5/network-security/firewall-logs/m-p/2149376#M358083 mahesh18 2013-04-16T18:07:50Z https://community.cisco.com/t5/network-security/firewall-logs/m-p/2149377#M358084 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you for example have this kind of interface configuration</P><P></P><P><STRONG>interface Ethernet0/1</STRONG></P><P><STRONG> description LAN</STRONG></P><P><STRONG> nameif LAN</STRONG></P><P><STRONG> security-level 100</STRONG></P><P><STRONG> ip add 192.168.10.3 255.255.255.0 standby 192.168.10.4</STRONG></P><P></P><P>Then you are probably talking about an ASA failover pair. Two identical ASA firewalls of which only one is Active at a time.</P><P></P><P>The ASA will ALWAYS use the first IP address of 192.168.10.3.</P><P></P><P>The IP address of 192.168.10.4 is only used to monitor the state of the Failover OR management purposes (and perhaps something else)</P><P></P><P>The interface named "Net" would in your case seem to refer to an interface that is a LAN interface. Meaning your LAN or part of your LAN is behind it. So I guess you could say its a "inside" interface in that sense though its not named like that.</P><P></P><P></P><P>The reason why you saw the IP address 192.168.10.3 in the Log Messages is that the ASA is using the interface IP address 192.168.10.3 as the source IP address from which it sends the Syslogs to the Syslog server.</P><P></P><P>If you want to change this so that you will actually see the firewall hostname in the Syslog messages you can configure the following command</P><P></P><P><STRONG>logging device-id hostname</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Tue, 16 Apr 2013 18:18:47 GMT https://community.cisco.com/t5/network-security/firewall-logs/m-p/2149377#M358084 Jouni Forss 2013-04-16T18:18:47Z https://community.cisco.com/t5/network-security/firewall-logs/m-p/2149378#M358085 <HTML><HEAD></HEAD><BODY><P> Hi Jouni,</P><P></P><P>If you keep answering my questions like this then my journey to ASA&nbsp; world will be smooth one.</P><P>For you it must be time to sleep now?</P><P></P><P>Best regards</P><P>Mahesh</P></BODY></HTML> Tue, 16 Apr 2013 20:09:22 GMT https://community.cisco.com/t5/network-security/firewall-logs/m-p/2149378#M358085 mahesh18 2013-04-16T20:09:22Z https://community.cisco.com/t5/network-security/firewall-logs/m-p/2149379#M358086 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Glad to be of help <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>I dont spend that many hours sleeping although I probably should <SPAN __jive_emoticon_name="silly" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/silly.gif"></SPAN> I rarely go to sleep before midnight.</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 16 Apr 2013 20:14:23 GMT https://community.cisco.com/t5/network-security/firewall-logs/m-p/2149379#M358086 Jouni Forss 2013-04-16T20:14:23Z https://community.cisco.com/t5/network-security/firewall-logs/m-p/2149380#M358087 <HTML><HEAD></HEAD><BODY><P> Hi Jouni,</P><P></P><P>I am surprised still you have lot of energy to answer so many questions in this forum.</P><P>To me looks you really love the ASA&nbsp; world.</P><P></P><P>Mahesh</P></BODY></HTML> Tue, 16 Apr 2013 20:24:29 GMT https://community.cisco.com/t5/network-security/firewall-logs/m-p/2149380#M358087 mahesh18 2013-04-16T20:24:29Z https://community.cisco.com/t5/network-security/firewall-logs/m-p/2149381#M358088 <HTML><HEAD></HEAD><BODY><P>In my work I basically mostly configure ASAs some some aspects of the ASA configurations have become quite familiar.</P><P></P><P>Sometimes I test different setups people are asking about here in my home lab also. Maybe learn something new myself in the process.</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 16 Apr 2013 20:30:45 GMT https://community.cisco.com/t5/network-security/firewall-logs/m-p/2149381#M358088 Jouni Forss 2013-04-16T20:30:45Z