Show PAT translations on ASA?

Andy White · ‎05-19-2011

Hello,

I'm using Netflow on our ISP's Cisco internet router. It sends Netflow info to the outside interface of our ASA and I PAT UDP port 9996 (Netflow) to our Netflow server that sits on the inside of the ASA firewall. the problem I have is I just see the source and destination as the Public (outside) IP of the firewall. Is there a command I can use to see what PAT is doing? I'd like to see what internal IP it is translating the Outside IP address to.

Thanks

varrao · ‎05-19-2011

Hey Andy,

How you doing?? Its me Varun....To check the xlates, just enter the following command:

show xlate | in

this will give you what you want

Hope this helps.

Thanks,

Varun

Thanks,
Varun Rao

doedelmo · ‎05-19-2011

Andy,

It depends on what you are trying to see as to how it would work. Since you are pulling Netflow from outside of your firewall, the routers will only see the public (PAT) addresses flow through them so that is how netflow will report the traffic. You can run a couple of commands on the ASA to see the translations, but if you are trying to see these in the actual netflow collector you would have to pull neflow from the ASA or an internal device before the NAT process takes place. If you are trying to map to an internal IP in real-time, the xlate lookup commands will work, if you are reviewing netflow reports at the end of the day, many of the xlates would not be there or could be re-used by another inside host. Your option there is to pull syslog from the ASA and match the time stamp with the destination address.

-don