05-14-2019 08:32 PM
Dear Cisco Community,
I have a Cisco 881 Firewall and we just putty into this firewall and donot have GUI Access. Some computer was trying to access the website shabihello.com and i found the ip address of the site to be 146.112.61.105 by running thee following command in cmd: tracert www.shabihello.com
Now i want to find out at the Firewall which computer was trying to access this site shabhihello.com. Somebody suggested to to IP NAT Translation on the Cisco 881 Firewall. But i donot know which commands to type that will show me the ip of the computer which accessed this site. So, kindly help me out in this at the earliest.
Regards,
Vikram.
05-14-2019 11:50 PM
here is the reference guide to check NAT Translation :
https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/8605-13.html
05-14-2019 11:50 PM
Hi there,
The command would be:
show ip nat trans | inc 146.112.61.105
https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/8605-13.html
cheers,
Seb.
05-15-2019 02:19 PM
Dear Seb,
When i type that command then nothing is displayed as the cursor moves to the next line as show below:
FW01#show ip nat trans | inc 146.112.61.105
FW01#
05-15-2019 03:05 PM
That means that there is not an active translation in the NAT state table.
Are you sure there is an active flow to the that destination when you typed the command?
cheers,
Seb.
05-15-2019 05:23 PM
Dear Seb,
I want to outline what i want to achieve here. Maybe then you will guide me accordingly. So, i got an alert in Cisco umbrella that a computer is trying to access a restricted site: www.shabihello.com. Now, i have been tasked to find which computer tried to access that site. Currently we have a Cisco 881 Firewall in the Environment (with no access to GUI on it). So, i undertook the following steps:
1. I wanted to know IP of www.shabihello.com so i went to cmd and typed: ping shabihello.com and it pointed to 146.112.61.105.
2. Then i went to the Firewall and typed the following command as i want to find which computer accessed it:
#show ip nat translation | inc 146.112.61.105
#
I got none of the results.
But when i type show ip nat translation then i get the following result;
Inside global inside local outside local Outside global
90.0.0.170:51828 10.64.35.110:51828 146.112.63.7:443 146.112.63.7:443
90.0.0.170:54262 10.64.35.110:51828 10.65.1.3:445 10.65.1.3:445
90.0.0.170:4500 90.0.0.170:4500 216.138.244.108:450
Kindly help me identify which computer tried to access www.shabihello.com and also outline what would be the best steps to do it ?
Thanks,
Vikram.
05-15-2019 11:16 PM
Hi Vikram,
Your methods are correct, but as I said before the entries in the NAT state table will timeout and be removed. In your case you have checked the state table too late and evidence of the translation is no longer there.
The crucial information has been lost.
Moving forward you have two options, enable debug logging for NAT and send the logs to a syslog server which you can search through should the incident reoccur.
Or, my personal preference, would be to configure netflow collection on the router and export it to a visualisation tool. I have always recommended nfsen (https://sourceforge.net/projects/nfsen/) for this purpose. Not only will this tell you the source IP from within your network which accessed the external IP, but additional metrics, such has volume of data transferred and in which direction, which may be of use.
cheers,
Seb.
05-16-2019 07:21 AM
Dear Seb,
Thanks for your help on this as you have been a great help.
Thanks.
Vikram.
05-16-2019 07:22 AM
Dear Seb,
Thanks for your help on this as you have been a great help.
Thanks.
Vikram.
05-16-2019 08:22 AM
No problem, please rate and mark this post as answered :)
05-15-2019 03:52 PM
You need to have active session to see the translation, if there is no active session you will not see any translations.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide