Solved: Cisco ASA wrong logging information's

stefania.clerici · ‎12-14-2010

We have a Cisco ASA 5510 and is running fine.
On the ASDM interface the log show the correct source ip address but as destination address we get always the ASA outside IP address instead of the real destination ip address.
We try to find a settings on the ASDM but we couldn't.
Any idea?

Maykol Rojas · ‎12-14-2010

Hello Stefania

Those logs that you are getting are the ones for the translation

ASA-6-305011: Built {dynamic|static} {TCP|UDP|ICMP} translation from 
interface_name:real_address/real_port to 
interface_name:mapped_address/mapped_port

So basically this happens everytime that a computer tries to do a connection to a webpage, skype or any other service on any other interface of the firewall. Since this is just the translation log, you will see that the NAT has been done for the real host to the mapped IP address.

The one that you would need to check (in case you want to see the real address of the host doing a connection to the outside world) is the one with the built tcp connection

%ASA-6-302013: Built {inbound|outbound} TCP connection_id for interface:real-address/real-port 
(mapped-address/mapped-port) to 
interface:real-address/real-port (mapped-address/mapped-port) [(user)]

This one will give you the information of the host that is doing a connection and where is he heading to. 

The other one just tells you which NAT did he use in order to go there. 

Cheers 

Mike

Mike

View solution in original post

Jennifer Halim · ‎12-14-2010

Please kindly check which syslog number you are referring too.

By the sounds of it, it seems that you are looking at NAT translation logs, that is why you are getting the ASA outside interface instead of the destination ip address because it is logging the translation.

stefania.clerici · ‎12-14-2010

syslog id numbers are 305011 and 305012.

How can I set the ASA to get the traffic log and not the transactions log on my ASDM?

Maykol Rojas · ‎12-14-2010

Hello Stefania

Those logs that you are getting are the ones for the translation

ASA-6-305011: Built {dynamic|static} {TCP|UDP|ICMP} translation from 
interface_name:real_address/real_port to 
interface_name:mapped_address/mapped_port

So basically this happens everytime that a computer tries to do a connection to a webpage, skype or any other service on any other interface of the firewall. Since this is just the translation log, you will see that the NAT has been done for the real host to the mapped IP address.

The one that you would need to check (in case you want to see the real address of the host doing a connection to the outside world) is the one with the built tcp connection

%ASA-6-302013: Built {inbound|outbound} TCP connection_id for interface:real-address/real-port 
(mapped-address/mapped-port) to 
interface:real-address/real-port (mapped-address/mapped-port) [(user)]

This one will give you the information of the host that is doing a connection and where is he heading to. 

The other one just tells you which NAT did he use in order to go there. 

Cheers 

Mike

Mike

stefania.clerici · ‎12-14-2010

Hello Mike,

is it possible to filter the logs in order to get only the traffic logs (TCP and UDP) without the transaction logs?

Cheers

Stefania

Maykol Rojas · ‎12-14-2010

Hello,

On the ASDM I am uncertain for not saying no.... BUT If you have a syslog server (which you can get one free online), you can create a logging list and put the log ID that you want in order to receive the logs that you want and exlude the ones with the translation on it.

If you need more info let me know.

Mike

stefania.clerici · ‎12-14-2010

On the ASDM log viewer I define this filter that show only a range of syslog ID

FILTER:sysID=302000-305000 without including the transaction logs.

Thank you to everybody.

Stefania