01-16-2007 01:50 PM - edited 03-10-2019 03:25 AM
Checking the events on our IDS 4210 w IDM 5.1, I noted a TCP hijack going from our LAN to the Internet.
I am sniffing the connection between outside port of Firewall(ASA 5510) and inside Edge router(3640), therefore the attacker IP is listed as our PAT. Is there any way to track this back to the PC without debugging the firewall?
Solved! Go to Solution.
01-18-2007 07:16 AM
If the attacker is getting PATted, then looking at nat table in ASA is the best way. From your packet trace, you may be able to find some upper layer information that may indicate the attacker's pre-pat identity but it less likely.
Thank you.
Edward
01-18-2007 07:16 AM
If the attacker is getting PATted, then looking at nat table in ASA is the best way. From your packet trace, you may be able to find some upper layer information that may indicate the attacker's pre-pat identity but it less likely.
Thank you.
Edward
01-18-2007 10:35 AM
You are right; show xlate did it. Thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide