https://community.cisco.com/t5/network-security/cisco-asa-wrong-logging-information-s/m-p/1566020#M604922 <HTML><HEAD></HEAD><BODY><P>On the ASDM log viewer I define this filter that show only a range of syslog ID</P><P>FILTER:sysID=302000-305000 without including the transaction logs.</P><P><BR />Thank you to everybody.</P><P></P><P>Stefania</P></BODY></HTML> Tue, 14 Dec 2010 15:49:19 GMT stefania.clerici 2010-12-14T15:49:19Z https://community.cisco.com/t5/network-security/cisco-asa-wrong-logging-information-s/m-p/1566014#M604904 <P><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tabella normale"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} </style> <![endif]--><SPAN style="font-size: 12pt; font-family: &amp;quot;Times New Roman&amp;quot;,&amp;quot;serif&amp;quot;;">We have a Cisco ASA 5510 and is running fine.<BR /> On the ASDM interface the log show the correct source ip address but as destination address we get always the ASA outside IP address instead of the real destination ip address.<BR /> We try to find a settings on the ASDM but we couldn't.<BR /> Any idea?</SPAN></P> Mon, 11 Mar 2019 19:21:54 GMT https://community.cisco.com/t5/network-security/cisco-asa-wrong-logging-information-s/m-p/1566014#M604904 stefania.clerici 2019-03-11T19:21:54Z https://community.cisco.com/t5/network-security/cisco-asa-wrong-logging-information-s/m-p/1566015#M604908 <HTML><HEAD></HEAD><BODY><P>Please kindly check which syslog number you are referring too.</P><P>By the sounds of it, it seems that you are looking at NAT translation logs, that is why you are getting the ASA outside interface instead of the destination ip address because it is logging the translation.</P></BODY></HTML> Tue, 14 Dec 2010 12:32:02 GMT https://community.cisco.com/t5/network-security/cisco-asa-wrong-logging-information-s/m-p/1566015#M604908 Jennifer Halim 2010-12-14T12:32:02Z https://community.cisco.com/t5/network-security/cisco-asa-wrong-logging-information-s/m-p/1566016#M604915 <HTML><HEAD></HEAD><BODY><P>syslog id numbers are 305011 and 305012.</P><P>How can I set the ASA to get the traffic log and not the transactions log on my ASDM?</P></BODY></HTML> Tue, 14 Dec 2010 12:59:58 GMT https://community.cisco.com/t5/network-security/cisco-asa-wrong-logging-information-s/m-p/1566016#M604915 stefania.clerici 2010-12-14T12:59:58Z https://community.cisco.com/t5/network-security/cisco-asa-wrong-logging-information-s/m-p/1566017#M604916 <HTML><HEAD></HEAD><BODY><P>Hello Stefania</P><P></P><P>Those logs that you are getting are the ones for the translation</P><P></P><P><SPAN class="content"><PRE><SPAN class="pEM_ErrMsg">ASA-6-305011: Built {dynamic|static} {TCP|UDP|ICMP} translation from <BR /><EM class="cEmphasis">interface_name</EM>:<EM class="cEmphasis">real_address</EM><EM class="cCi_CmdItalic" style="font-style: italic;">/</EM><SPAN style="color: black; font-style: oblique; font-weight: normal;">real_port</SPAN> to <BR /><EM class="cEmphasis">interface_name</EM>:<EM class="cEmphasis">mapped_address</EM><EM class="cCi_CmdItalic" style="font-style: italic;">/</EM><SPAN style="color: black; font-style: oblique; font-weight: normal;">mapped_port<BR /></SPAN></SPAN></PRE></SPAN></P><P></P><P>So basically this happens everytime that a computer tries to do a connection to a webpage, skype or any other service on any other interface of the firewall. Since this is just the translation log, you will see that the NAT has been done for the real host to the mapped IP address.</P><P></P><P>The one that you would need to check (in case you want to see the real address of the host doing a connection to the outside world) is the one with the built tcp connection </P><P></P><P><SPAN class="content"><PRE><SPAN class="pEM_ErrMsg">%ASA-6-302013: Built {inbound|outbound} TCP <EM class="cEmphasis">connection_id</EM> for <EM class="cEmphasis">interface</EM>:<EM class="cEmphasis">real-address</EM>/<EM class="cEmphasis">real-port</EM> <BR />(<EM class="cEmphasis">mapped-address/mapped-port</EM>) to <BR /><EM class="cEmphasis">interface</EM>:<EM class="cEmphasis">real-address</EM>/<EM class="cEmphasis">real-port</EM> (<EM class="cEmphasis">mapped-address/mapped-port</EM>) [(<EM class="cEmphasis">user</EM>)]<BR /><BR /><SPAN style="font-family: arial,helvetica,sans-serif;">This one will give you the information of the host that is doing a connection and where is he heading to. <BR /><BR />The other one just tells you which NAT did he use in order to go there. <BR /><BR />Cheers <BR /><BR />Mike </SPAN><BR /></SPAN></PRE></SPAN></P></BODY></HTML> Tue, 14 Dec 2010 13:18:45 GMT https://community.cisco.com/t5/network-security/cisco-asa-wrong-logging-information-s/m-p/1566017#M604916 Maykol Rojas 2010-12-14T13:18:45Z https://community.cisco.com/t5/network-security/cisco-asa-wrong-logging-information-s/m-p/1566018#M604918 <HTML><HEAD></HEAD><BODY><P>Hello Mike,</P><P>is it possible to filter the logs in order to get only the traffic logs (TCP and UDP) without the transaction logs?</P><P>Cheers</P><P>Stefania</P></BODY></HTML> Tue, 14 Dec 2010 14:05:07 GMT https://community.cisco.com/t5/network-security/cisco-asa-wrong-logging-information-s/m-p/1566018#M604918 stefania.clerici 2010-12-14T14:05:07Z https://community.cisco.com/t5/network-security/cisco-asa-wrong-logging-information-s/m-p/1566019#M604920 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>On the ASDM I am uncertain <SPAN __jive_emoticon_name="sad" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/sad.gif"></SPAN> for not saying no.... BUT <SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/grin.gif"></SPAN>&nbsp; If you have a syslog server (which you can get one free online), you can create a logging list and put the log ID that you want in order to receive the logs that you want and exlude the ones with the translation on it.</P><P></P><P>If you need more info let me know.</P><P></P><P>Mike</P></BODY></HTML> Tue, 14 Dec 2010 15:07:33 GMT https://community.cisco.com/t5/network-security/cisco-asa-wrong-logging-information-s/m-p/1566019#M604920 Maykol Rojas 2010-12-14T15:07:33Z https://community.cisco.com/t5/network-security/cisco-asa-wrong-logging-information-s/m-p/1566020#M604922 <HTML><HEAD></HEAD><BODY><P>On the ASDM log viewer I define this filter that show only a range of syslog ID</P><P>FILTER:sysID=302000-305000 without including the transaction logs.</P><P><BR />Thank you to everybody.</P><P></P><P>Stefania</P></BODY></HTML> Tue, 14 Dec 2010 15:49:19 GMT https://community.cisco.com/t5/network-security/cisco-asa-wrong-logging-information-s/m-p/1566020#M604922 stefania.clerici 2010-12-14T15:49:19Z