Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
673
Views
0
Helpful
7
Replies

Firewall Logs

Go to solution
mahesh18
Level 6
Level 6

‎04-16-2013 10:35 AM - edited ‎03-11-2019 06:29 PM

Hi everyone.

Here are logs from the ASA when i open up google.com


192.168.10.3 Apr 15 2013 20:28:55: %ASA-5-304001: 192.168.20.17 Accessed URL 74.125.28.94:http://www.google.ca/


192.168.10.3 Apr 15 2013 20:28:54: %ASA-6-302013: Built outbound TCP connection 927882 for outside:74.125.28.94/80 (74.125.28.94/80) to Net:192.168.20.17/59525 (217.x.x.x/7436)


192.168.10.3 Apr 15 2013 20:28:54: %ASA-6-305011: Built dynamic TCP translation from Net:192.168.20.17/59525 to outside:217.x.x.x/7436
192.168.10.3 Apr 15 2013 20:28:54: %ASA-6-106100: access-list Net_001 permitted tcp Net/192.168.20.17(59525) -> outside/74.125.28.94(80) hit-cnt 1 first hit [0x3b1e12a4, 0x0]


192.168.10.3 Apr 15 2013 20:28:54: %ASA-6-302013: Built outbound TCP connection 927881 for outside:74.125.28.94/80 (74.125.28.94/80) to Net:192.168.20.17/59524 (217.x.x.x/7465)


192.168.10.3 Apr 15 2013 20:28:54: %ASA-6-305011: Built dynamic TCP translation from Net:192.168.20.17/59524 to outside:217.x.x.x/7465
192.168.10.3 Apr 15 2013 20:28:54: %ASA-6-106100: access-list Net_001 permitted tcp Net/192.168.20.17(59524) -> outside/74.125.28.94(80) hit-cnt 1 first hit [0x3b1e12a4, 0x0]

Where 192.168.20.17 is my PC  IP.

Net is interface on the ASA

IP 192.168.10.3 also belongs to ASA  interface

Need to know whats IP 192.168.10.3 doing here in the ASA logs?

Also is the interface Net  is ASA  inside interface as it has name of Net and connection goes to outside?

which type of NAT is going on ASA?

Hope make sense

thanks

mahesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-16-2013 10:45 AM

Hi again,

the message "Built outbound" means that the connections is been built from LAN to WAN

If someone was conneting to some Static NAT IP address of server on your ASA then you would be seeing "Built inbound"

The interface IP address 192.168.10.3 in the logs is the IP address of the ASA interface that sends this log to the Syslog server. It doesnt have anything to do with the connection your host is taking to Google.

The message "Built Dynamic TCP translation" says that a Dynamic translation is being done through the ASA. Since the port of the NAT IP address doesnt match the real source port I would imagine were talking about Dynamic PAT. So the hosts connections are probably translated to the ASA "outside" interface IP address

Hope this helps

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-16-2013 11:18 AM

Hi,

If you for example have this kind of interface configuration

interface Ethernet0/1

description LAN

nameif LAN

security-level 100

ip add 192.168.10.3 255.255.255.0 standby 192.168.10.4

Then you are probably talking about an ASA failover pair. Two identical ASA firewalls of which only one is Active at a time.

The ASA will ALWAYS use the first IP address of 192.168.10.3.

The IP address of 192.168.10.4 is only used to monitor the state of the Failover OR management purposes (and perhaps something else)

The interface named "Net" would in your case seem to refer to an interface that is a LAN interface. Meaning your LAN or part of your LAN is behind it. So I guess you could say its a "inside" interface in that sense though its not named like that.

The reason why you saw the IP address 192.168.10.3 in the Log Messages is that the ASA is using the interface IP address 192.168.10.3 as the source IP address from which it sends the Syslogs to the Syslog server.

If you want to change this so that you will actually see the firewall hostname in the Syslog messages you can configure the following command

logging device-id hostname

- Jouni

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-16-2013 10:45 AM

Hi again,

the message "Built outbound" means that the connections is been built from LAN to WAN

If someone was conneting to some Static NAT IP address of server on your ASA then you would be seeing "Built inbound"

The interface IP address 192.168.10.3 in the logs is the IP address of the ASA interface that sends this log to the Syslog server. It doesnt have anything to do with the connection your host is taking to Google.

The message "Built Dynamic TCP translation" says that a Dynamic translation is being done through the ASA. Since the port of the NAT IP address doesnt match the real source port I would imagine were talking about Dynamic PAT. So the hosts connections are probably translated to the ASA "outside" interface IP address

Hope this helps

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎04-16-2013 11:07 AM

Hi Jouni,

When i check config of interface with IP 192.168.10.3

it has ip address then it has standby 192.168.10.4

does it refer to standby ASA instead of syslog server?

Also it has ospf cost configured.

Also interface Net does it refer to ASA  inside interface?

Thanks

MAhesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-16-2013 11:18 AM

Hi,

If you for example have this kind of interface configuration

interface Ethernet0/1

description LAN

nameif LAN

security-level 100

ip add 192.168.10.3 255.255.255.0 standby 192.168.10.4

Then you are probably talking about an ASA failover pair. Two identical ASA firewalls of which only one is Active at a time.

The ASA will ALWAYS use the first IP address of 192.168.10.3.

The IP address of 192.168.10.4 is only used to monitor the state of the Failover OR management purposes (and perhaps something else)

The interface named "Net" would in your case seem to refer to an interface that is a LAN interface. Meaning your LAN or part of your LAN is behind it. So I guess you could say its a "inside" interface in that sense though its not named like that.

The reason why you saw the IP address 192.168.10.3 in the Log Messages is that the ASA is using the interface IP address 192.168.10.3 as the source IP address from which it sends the Syslogs to the Syslog server.

If you want to change this so that you will actually see the firewall hostname in the Syslog messages you can configure the following command

logging device-id hostname

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎04-16-2013 01:09 PM

Hi Jouni,

If you keep answering my questions like this then my journey to ASA  world will be smooth one.

For you it must be time to sleep now?

Best regards

Mahesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-16-2013 01:14 PM

Hi,

Glad to be of help

I dont spend that many hours sleeping although I probably should I rarely go to sleep before midnight.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎04-16-2013 01:24 PM

Hi Jouni,

I am surprised still you have lot of energy to answer so many questions in this forum.

To me looks you really love the ASA  world.

Mahesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎04-16-2013 01:30 PM

In my work I basically mostly configure ASAs some some aspects of the ASA configurations have become quite familiar.

Sometimes I test different setups people are asking about here in my home lab also. Maybe learn something new myself in the process.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card