Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
568
Views
9
Helpful
11
Replies

NAT Translation in Cisco FMC

Go to solution
hadeelOth81
Beginner
Beginner

‎05-29-2023 08:35 AM

Hello all,

    I'm using cisco FMC 4600 to manage FTD cluster and I need to get NAT statistics and events. As which internal IPs have been translated to a certain NAT IP address. 

Is there a way to do that in FMC?

Thank you, 

Hadeel

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor
In response to Marvin Rhoads

‎05-30-2023 12:49 AM

as @Marvin Rhoads mentioned employing the Secure Network Analytics but not everyone can have Netflow tool in place. but to give you some visibility from FMC and see the connection events you can go to "Analysis"-->"Unified-Events" this will bring you the live connection feed what FMC receving from the FTD. on the search bar you can put in your FTD name and it will filter all the connection passing through from your firewall. here you can filter/fine tune what you want to see. 

again as said it will not give you exctaly what you looking for but it will give you some insight of the connection. or the otherway you can do it from "Analysis"---"Connection-Event"--->"Edit-Search"-->Connection-Event-->Device(here you put your device name) and it will display the history of connection event. Also here agian you can right click one of the tab and narrow down what you want to see.

 

please do not forget to rate.

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame Community Legend Hall of Fame Community Legend
Hall of Fame Community Legend
In response to Sheraz.Salim

‎05-30-2023 01:54 AM

Definitely look at Unified Events. I had forgotten we can select the NAT IP (Source or destination) from among the displayed columns - it's not enabled by default but can be added. You can then drag the column to be next to the original source IP (among other customizations). Once you have a filtered view that suits you you can even download the events as a csv. See the following screen shot:

Unified EventsUnified Events

The only downside is that you are limited to the FMC's event storage capacity. Depending on your FMC and how many events it is logging that can be as little as less than 1 day. You can see the capacity in the Health Monitor as shown below - my lab FMCv has 19 days capacity but it is very lightly used.

FMC Health MonitorFMC Health Monitor

View solution in original post

11 Replies 11

Go to solution
Marvin Rhoads
Hall of Fame Community Legend Hall of Fame Community Legend
Hall of Fame Community Legend

‎05-29-2023 09:47 AM

Unfortunately that information is not stored within FMC. It can be retrieved in real time from the cluster members using "show xlate".

If that information is required for forensic or historical purposes, the only way I know to get it is to setup Netflow export to a collector (Such as Cisco Secure Network Analytics, formerly known as Stealthwatch). Cisco firewalls use NSEL (Netflow Secure event Logging) which captures both the original and translated address.

Go to solution
hadeelOth81
Beginner
Beginner
In response to Marvin Rhoads

‎05-29-2023 09:50 AM

Thank you so much @Marvin Rhoads . 

0 Helpful

Go to solution
Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor
In response to Marvin Rhoads

‎05-30-2023 12:49 AM

as @Marvin Rhoads mentioned employing the Secure Network Analytics but not everyone can have Netflow tool in place. but to give you some visibility from FMC and see the connection events you can go to "Analysis"-->"Unified-Events" this will bring you the live connection feed what FMC receving from the FTD. on the search bar you can put in your FTD name and it will filter all the connection passing through from your firewall. here you can filter/fine tune what you want to see. 

again as said it will not give you exctaly what you looking for but it will give you some insight of the connection. or the otherway you can do it from "Analysis"---"Connection-Event"--->"Edit-Search"-->Connection-Event-->Device(here you put your device name) and it will display the history of connection event. Also here agian you can right click one of the tab and narrow down what you want to see.

 

please do not forget to rate.

Go to solution
Marvin Rhoads
Hall of Fame Community Legend Hall of Fame Community Legend
Hall of Fame Community Legend
In response to Sheraz.Salim

‎05-30-2023 01:54 AM

Definitely look at Unified Events. I had forgotten we can select the NAT IP (Source or destination) from among the displayed columns - it's not enabled by default but can be added. You can then drag the column to be next to the original source IP (among other customizations). Once you have a filtered view that suits you you can even download the events as a csv. See the following screen shot:

Unified EventsUnified Events

The only downside is that you are limited to the FMC's event storage capacity. Depending on your FMC and how many events it is logging that can be as little as less than 1 day. You can see the capacity in the Health Monitor as shown below - my lab FMCv has 19 days capacity but it is very lightly used.

FMC Health MonitorFMC Health Monitor

Go to solution
Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor
In response to Marvin Rhoads

‎05-30-2023 02:02 AM

@Marvin Rhoads  exactly, this is what I used in production network. Stealthwatch pricing was quite high and we were not able to match it so yes, this is what I am doing/using this for long time. @hadeelOth81 if you have budget go for netflow stealthwatch. but if you like me then this is only solution to keep us running unless we able to manage the big guys so spent more money on the tool we love.

please do not forget to rate.

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

‎05-29-2023 10:14 AM

I will check this feature update you today 

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor
In response to MHM Cisco World

‎05-30-2023 04:14 AM

NO need more comment other answer You perfectly
thanks 
MHM 

Go to solution
toolseo818
Beginner
Beginner

‎05-30-2023 02:02 AM

Yes, there is a way to obtain NAT statistics and events in Cisco FMC (Firepower Management Center) for your FTD (Firepower Threat Defense) cluster. To view the NAT translations and associated events, you can follow these steps:

  1. Log in to your Cisco FMC web interface.
  2. Navigate to the "Analysis" tab in the top menu.
  3. Select "Events" from the drop-down menu.
  4. In the left-hand panel, under "Event Types," expand the "Network" section and choose "NAT Events."
  5. This will display the NAT events in the main window, showing the source IP, destination IP, and translated IP addresses involved in the NAT process.

To obtain specific information about internal IPs translated to a particular NAT IP address, you can use the search and filter options in Cisco FMC:

  1. On the "Events" page, use the search bar at the top to enter the desired NAT IP address.
  2. Press Enter or click the search icon.
  3. The search results will display the events where the specified NAT IP address is involved.

By analyzing the NAT events and associated data, you can determine which internal IPs have been translated to a certain NAT IP address within your FTD cluster.

Please note that the exact steps and options may vary slightly depending on the version of Cisco FMC you are using.

Go to solution
hadeelOth81
Beginner
Beginner

‎05-30-2023 06:31 AM

Thank you all, your solutions saved me for now, the only downside as Marvin mentioned FMC can save up to 2 days 6 hours 32 min

hadeelOth81_0-1685453490584.png

Much appreciate your help!!

 

Thanks

 

0 Helpful

Go to solution
Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor
In response to hadeelOth81

‎05-30-2023 07:20 AM

You can config the syslog and offload to external server.

Go to ACP--->select your interested policy--->Logging---->Default Syslog settings:

Logging.PNG

 

please do not forget to rate.

Go to solution
hadeelOth81
Beginner
Beginner
In response to Sheraz.Salim

‎05-30-2023 09:26 AM

Thank you @Sheraz.Salim . I already configured external syslog server. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents