Dear Cisco Community,
I have a Cisco 881 Firewall and we just putty into this firewall and donot have GUI Access. Some computer was trying to access the website shabihello.com and i found the ip address of the site to be 126.96.36.199 by running thee following command in cmd: tracert www.shabihello.com
Now i want to find out at the Firewall which computer was trying to access this site shabhihello.com. Somebody suggested to to IP NAT Translation on the Cisco 881 Firewall. But i donot know which commands to type that will show me the ip of the computer which accessed this site. So, kindly help me out in this at the earliest.
here is the reference guide to check NAT Translation :
The command would be:
show ip nat trans | inc 188.8.131.52
When i type that command then nothing is displayed as the cursor moves to the next line as show below:
FW01#show ip nat trans | inc 184.108.40.206
That means that there is not an active translation in the NAT state table.
Are you sure there is an active flow to the that destination when you typed the command?
I want to outline what i want to achieve here. Maybe then you will guide me accordingly. So, i got an alert in Cisco umbrella that a computer is trying to access a restricted site: www.shabihello.com. Now, i have been tasked to find which computer tried to access that site. Currently we have a Cisco 881 Firewall in the Environment (with no access to GUI on it). So, i undertook the following steps:
1. I wanted to know IP of www.shabihello.com so i went to cmd and typed: ping shabihello.com and it pointed to 220.127.116.11.
2. Then i went to the Firewall and typed the following command as i want to find which computer accessed it:
#show ip nat translation | inc 18.104.22.168
I got none of the results.
But when i type show ip nat translation then i get the following result;
Inside global inside local outside local Outside global
22.214.171.124:51828 10.64.35.110:51828 126.96.36.199:443 188.8.131.52:443
184.108.40.206:54262 10.64.35.110:51828 10.65.1.3:445 10.65.1.3:445
220.127.116.11:4500 18.104.22.168:4500 22.214.171.124:450
Kindly help me identify which computer tried to access www.shabihello.com and also outline what would be the best steps to do it ?
Your methods are correct, but as I said before the entries in the NAT state table will timeout and be removed. In your case you have checked the state table too late and evidence of the translation is no longer there.
The crucial information has been lost.
Moving forward you have two options, enable debug logging for NAT and send the logs to a syslog server which you can search through should the incident reoccur.
Or, my personal preference, would be to configure netflow collection on the router and export it to a visualisation tool. I have always recommended nfsen (https://sourceforge.net/projects/nfsen/) for this purpose. Not only will this tell you the source IP from within your network which accessed the external IP, but additional metrics, such has volume of data transferred and in which direction, which may be of use.
Thanks for your help on this as you have been a great help.
You need to have active session to see the translation, if there is no active session you will not see any translations.