cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
810
Views
0
Helpful
2
Replies

Track Outbound TCP Hijack

usanitary
Level 1
Level 1

Checking the events on our IDS 4210 w IDM 5.1, I noted a TCP hijack going from our LAN to the Internet.

I am sniffing the connection between outside port of Firewall(ASA 5510) and inside Edge router(3640), therefore the attacker IP is listed as our PAT. Is there any way to track this back to the PC without debugging the firewall?

1 Accepted Solution

Accepted Solutions

edwakim
Cisco Employee
Cisco Employee

If the attacker is getting PATted, then looking at nat table in ASA is the best way. From your packet trace, you may be able to find some upper layer information that may indicate the attacker's pre-pat identity but it less likely.

Thank you.

Edward

View solution in original post

2 Replies 2

edwakim
Cisco Employee
Cisco Employee

If the attacker is getting PATted, then looking at nat table in ASA is the best way. From your packet trace, you may be able to find some upper layer information that may indicate the attacker's pre-pat identity but it less likely.

Thank you.

Edward

You are right; show xlate did it. Thank you very much.

Review Cisco Networking for a $25 gift card