02-01-2010 09:01 AM - edited 03-11-2019 10:03 AM
Hi all,
I try to analyze a complex PIX config and would like to analyze the NAT usage. There are ALL variations of NATing in it, therefore I get static, dynamic, nat exemption etc.
I can see how I could trace down dynamic NAT (by counting "built dynamic TCP translation" in the syslog data) and ACL-based NAT (via acl counters).
Any idea how to trace static NAT usage und exemption / nat 0 usage ? As a last ressort, permit ACLs would be an idea (and then have counters on them), but I´d like a more comfortable way.
Any hints on tools are welcome as well, currently I test FireGen which looks quite nice and is affordable.
Later,
Oliver
02-01-2010 02:25 PM
I am not sure what the exact question is.
If you want to see what xlates are being used you can get the output of command "sh xlate detail".
Also, if the PIX is running later versions (not 6.3) you can run a packet tracer for a packet to see how it is going to be translated (packet-tracer command.
I hope it helps.
PK
02-03-2010 06:11 AM
Hi PK,
this question is about how to analyse which NAT statements are used and how often. (or unused). The config is quite complex and I suspect there are some NAT ways that were not intended and others that are not needed any more.
Therefore, I´d like to have a report on NAT usage, like it is available on ACL usage (counters or via some tools like Firemon).
For dynamic NAT, I get syslog data that can be filtered for the corresponding expressions, so if I count them, this gives me a (complicated) way to get the info I want. For static, I can see that NAT rules are established, but I can´t see if there is data flowing across these NATs, i.e. if they are used at all.
Since there are hundreds of static entries, permit ACLs with counters are possible, but not really something I´d like to do .
Is there any tool liek Firegen or other log analysis tool that gathers statistic data about NAT usage ?
Later,
Oliver
02-03-2010 06:33 AM
Hmm interesting question.
I believe just like the built dynamic translation syslog you can follow this syslog
Feb 03 2010 09:04:01: %ASA-6-302013: Built inbound TCP connection 165172 for outside:10.117.14.69/51132 (10.117.14.69/51132) to inside:192.168.2.2/5900 (172.18.254.34/5900)
305011: Built static TCP translation from inside:192.168.41.10/8501 to outside:a.b.c.d/80
This one is for static.
Grep for syslog 302013 and 305011and see how of this your firewall logs in a day.
-KS
02-04-2010 12:48 AM
I guess it´s time to reanimate my perl knowledge .
Right now I´m evaluating FireGen and Sawmill, since we´re on a budget we can´t spend a lot of money. Any other useful tools for syslogging PIXes and getting information out of the logdata ?
02-04-2010 06:08 AM
There is Cisco MARS that can do a lot with syslogs generate reports etc. But it is not free
I think you won't avoid writing perl again...
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide