Showing results for 
Search instead for 
Did you mean: 

Cisco ASA PAT Question


Hi all

when adding a PAT rule on my asa to PAT to the outside Ip of my firewall for internet traffic, Im just monitoring the logs whilst users go on the internet. It appears that I dont see the actual destination they are trying to get to but the IP of the interface I am translating to, is this right ? I would expect to see the real IP of the websites they are going to.



4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni


If the ASA "logging" configuration hasnt been used to disable or change the level of some Syslog messages and provided that your ASA is set to log at the correct level THEN you should be both seeing the messages that indicate a building and teardown of a connection through the ASA. You would also be seeing the building and teardown messages of the translations for those connections.

So you could start by checking your "logging" configuration with the command

show run logging

This should tell us if the logging levels are appropriate and that the log message IDs that you are looking for haven't disabled or their level hasnt been changed.

- Jouni


I am seeing the logs fine, but the destination im seeing is the outside of my interface and not the real web site IP they are going to

any ideas ?


Well, usually if you see a log message that states your public IP address as the destination then you are looking at a log message about the translation, not about the actual connection.

As an example one connections/translation building from my own ASA (with changed IP addresses ofcourse)

%ASA-6-305011: Built dynamic TCP translation from any: to WAN:

%ASA-6-302013: Built outbound TCP connection 4585 for WAN: ( to LAN: (


  • = My "WAN" interface public IP address
  • = Destination IP address for my HTTPS connection

- Jouni


Can you see the above type of messages logged for your connections on the ASA?

They should be showing if your logging is otherwise in default settings and the logging level is set to Informational atleast.

- Jouni

Review Cisco Networking for a $25 gift card