We also have a Cisco WSA so

Difan Zhao · ‎06-14-2015

Hi,

So we are getting emails from HBO complaining about the illegal download... Hopefully that I am not the first one having the problem but I need to know the inside/real IP based on the public IP and port number and a specific time that were provided by HBO.. So what is the most efficient way to log the dynamic NAT/PAT history on the ASA? I have a 5585x with 9.2.3 code on it

Thanks,

Difan

Marius Gunnerud · ‎06-14-2015

The most efficient way would be to set up a SourceFire with URL filtering or perhaps a different URL filter that can also log connections. SourceFire can give you the inside IP and, if integrated with AD, can also give you the username of the person that accessed the torrent service.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Difan Zhao · ‎06-14-2015

We also have a Cisco WSA so the users are not able to surf the torrent sites. However the issue is that if they had the torrent file already on their PC (mostly likely a laptop) then WSA will not be able to help. SourceFire is on the road map but may not happen soon. Any other ways as an intermediate solution?

I just found out if I set the logging level to informational then it could log the message but it is too overwhelming. I am trying to figure out a way to filter. Any suggestion?

Thanks

Marius Gunnerud · ‎06-14-2015

There really is no easy way of doing this. You will need to apply a filter to the log output to narrow down the output. But then again this will not be easy if you do not know what you are looking for. You could try using NetFlow but even here you will need to apply some type of filter. You could also give NBAR a try, but even this is will not capture all possible torrents.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Log dynamic NAT/PAT entries