Re: DMCA and NAT

[Kay Avila <kay.avila () UNI EDU>]

> Cisco's ASAs won't log NAT bind - setups and teardowns - unless you
> go to "debug" level.

As for the logging on the ASA, you can do that without turning on debug. 
 You can adjust the level of individual log entries on the ASAs so you 
don't have to enable all debugging to see NAT setup/teardown.

So if you find the log ids for the NAT setups and teardowns (see [1]), 
you can change the severity level of the message -

logging message <message id> level <new level>

[1] 
http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html

Kay Avila

--
Kay Avila
Network Engineer, ITS-Network Services
15 Curris Business Building, Cedar Falls, IA 50614-0121
kay.avila () uni edu  Phone: 319-273-5924  Fax: 319-273-7373

On 11/29/2011 2:20 PM, John Ladwig wrote:
> Second the comment re: "insane" level of campus-border firewall logging necessary to respond to lawful requests.  We're 
> over 100GB/day across our 60ish campuses.
>
> Cisco's ASAs won't log NAT bind - setups and teardowns - unless you go to "debug" level.  We do have a few of noisy+useless 
> message IDs which we don't send as well.  Dunno how much volume that saves us, though.
>
>     -jml
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave G 
> Bulanda
> Sent: Tuesday, 29 November, 2011 10:44
> To: The EDUCAUSE Security Constituent Group Listserv; John Ladwig
> Subject: Re: [SECURITY] DMCA and NAT
>
> Kevin,
>
> The way that I handle the DMCA and NAT issue is that I run syslog of my border firewall in a somewhat "INSANE" level.
>
> Match Outside address to inside address - Take the inside address and match via NAC system and DHCP logs to client 
> machine.
>
> [ ... ]