Help with xlate on ASA

Andy White · ‎02-28-2012

Hi,

We are using Netflow on our ASA and our internet pipe inbound is at it's maximum and in Netflow I can see the external IP of the site and the destination IP is the outside IP of our firewall, how can I see what our ASA is PATing this address to internally, so I can go to the users PC?

Thanks

johuggin · ‎02-28-2012

Andy,

The command reference shows some options for the 'show xlate' command on the ASA which may be helpful:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s7.html#wp1308781

If you know the outside PAT port being used in the connection, you might be able to find the tranlsation in question by using the 'show xlate gport '.

For example, if the site was replying to 2.2.2.2:1000, you could do a 'show xlate gport 1000' to find the translation entry for this connection.

Is this what you are looking for?

Thanks!

Joey

Andy White · ‎02-29-2012

hi,

I must be doing something slightly wrong, if I go onto the ASA and type "sh xlate interface outside" it only shows traffice for the outside of our ASA to VPN's, where is all the traffic to websites etc?

For example all I'm seeing is information like below

PAT Global x.x.x.x (16095) Local 172.19.10.167(1238)

Any ideas?

kind regards

johuggin · ‎02-29-2012

Andy,

Is 172.19.10.x a regular internal subnet? In your example:

PAT Global x.x.x.x (16095) Local 172.19.10.167(1238)

This is saying that the local host 172.19.10.167 is being translated to the public address x.x.x.x:16095. Can you see destination port numbers using your Netflow setup? If for example you saw the following:

Netflow: Cisco.com > x.x.x.x:16095

Then we know that host 172.19.10.167 was accessing Cisco.com.

If I'm still not understanding your issue correctly, you may want to attach a 'show run' (or at least 'show int', 'show run nat', and 'show run global' if you're using 8.2 or lower).

Thanks

Joey