topic Re: NAT monitoring / syslog in Network Security

NAT monitoring / syslog

keller.oliver — Mon, 11 Mar 2019 17:03:48 GMT

Hi all,

I try to analyze a complex PIX config and would like to analyze the NAT usage. There are ALL variations of NATing in it, therefore I get static, dynamic, nat exemption etc.

I can see how I could trace down dynamic NAT (by counting "built dynamic TCP translation" in the syslog data) and ACL-based NAT (via acl counters).

Any idea how to trace static NAT usage und exemption / nat 0 usage ? As a last ressort, permit ACLs would be an idea (and then have counters on them), but I´d like a more comfortable way.

Any hints on tools are welcome as well, currently I test FireGen which looks quite nice and is affordable.

Later,

Oliver

Re: NAT monitoring / syslog

Panos Kampanakis — Mon, 01 Feb 2010 22:25:05 GMT

I am not sure what the exact question is.

If you want to see what xlates are being used you can get the output of command "sh xlate detail".

Also, if the PIX is running later versions (not 6.3) you can run a packet tracer for a packet to see how it is going to be translated (packet-tracer command.

I hope it helps.

Re: NAT monitoring / syslog

keller.oliver — Wed, 03 Feb 2010 14:11:15 GMT

Hi PK,

this question is about how to analyse which NAT statements are used and how often. (or unused). The config is quite complex and I suspect there are some NAT ways that were not intended and others that are not needed any more.

Therefore, I´d like to have a report on NAT usage, like it is available on ACL usage (counters or via some tools like Firemon).

For dynamic NAT, I get syslog data that can be filtered for the corresponding expressions, so if I count them, this gives me a (complicated) way to get the info I want. For static, I can see that NAT rules are established, but I can´t see if there is data flowing across these NATs, i.e. if they are used at all.

Since there are hundreds of static entries, permit ACLs with counters are possible, but not really something I´d like to do .

Is there any tool liek Firegen or other log analysis tool that gathers statistic data about NAT usage ?

Later,

Oliver

Re: NAT monitoring / syslog

Kureli Sankar — Wed, 03 Feb 2010 14:33:13 GMT

Hmm interesting question.

I believe just like the built dynamic translation syslog you can follow this syslog

Feb 03 2010 09:04:01: %ASA-6-302013: Built inbound TCP connection 165172 for outside:10.117.14.69/51132 (10.117.14.69/51132) to inside:192.168.2.2/5900 (172.18.254.34/5900)

305011: Built static TCP translation from inside:192.168.41.10/8501 to outside:a.b.c.d/80

This one is for static.

Grep for syslog 302013 and 305011and see how of this your firewall logs in a day.

-KS

Re: NAT monitoring / syslog

keller.oliver — Thu, 04 Feb 2010 08:48:28 GMT

I guess it´s time to reanimate my perl knowledge .

Right now I´m evaluating FireGen and Sawmill, since we´re on a budget we can´t spend a lot of money. Any other useful tools for syslogging PIXes and getting information out of the logdata ?

Re: NAT monitoring / syslog

Panos Kampanakis — Thu, 04 Feb 2010 14:08:11 GMT

There is Cisco MARS that can do a lot with syslogs generate reports etc. But it is not free

I think you won't avoid writing perl again...