Dear Seb,

When i type that command then nothing is displayed as the cursor moves to the next line as show below:

FW01#show ip nat trans | inc 146.112.61.105

FW01#

That means that there is not an active translation in the NAT state table.

Are you sure there is an active flow to the that destination when you typed the command?

cheers,

Seb.

Dear Seb,

I want to outline what i want to achieve here. Maybe then you will guide me accordingly. So, i got an alert in Cisco umbrella that a computer is trying to access a restricted site: www.shabihello.com. Now, i have been tasked to find which computer tried to access that site. Currently we have a Cisco 881 Firewall in the Environment (with no access to GUI on it). So, i undertook the following steps:

1. I wanted to know IP of www.shabihello.com so i went to cmd and typed: ping shabihello.com and it pointed to 146.112.61.105.

2. Then i went to the Firewall and typed the following command as i want to find which computer accessed it:

#show ip nat translation | inc 146.112.61.105

#

I got none of the results.

But when i type show ip nat translation then i get the following result;

Inside global               inside local                   outside local              Outside global

90.0.0.170:51828      10.64.35.110:51828   146.112.63.7:443       146.112.63.7:443

90.0.0.170:54262      10.64.35.110:51828   10.65.1.3:445              10.65.1.3:445

90.0.0.170:4500         90.0.0.170:4500        216.138.244.108:450 

Kindly help me identify which computer tried to access www.shabihello.com and also outline what would be the best steps to do it ?

Thanks,

Vikram.

Hi Vikram,

Your methods are correct, but as I said before the entries in the NAT state table will timeout and be removed. In your case you have checked the state table too late and evidence of the translation is no longer there.

The crucial information has been lost.

Moving forward you have two options, enable debug logging for NAT and send the logs to a syslog server which you can search through should the incident reoccur.

Or, my personal preference, would be to configure netflow collection on the router and export it to a visualisation tool. I have always recommended nfsen (https://sourceforge.net/projects/nfsen/) for this purpose. Not only will this tell you the source IP from within your network which accessed the external IP, but additional metrics, such has volume of data transferred and in which direction, which may be of use.

cheers,

Seb.

Dear Seb,

Thanks for your help on this as you have been a great help.

Thanks.

Vikram.

Dear Seb,

Thanks for your help on this as you have been a great help.

Thanks.

Vikram.

No problem, please rate and mark this post as answered :)

You need to have active session to see the translation, if there is no active session you will not see any translations.