Educause Security Discussion mailing list archives

Re: DMCA and NAT

From: John Ladwig <John.Ladwig () SO MNSCU EDU>
Date: Thu, 1 Dec 2011 16:13:49 +0000

Thanks for the headsup. I was just about to review our ASA message-logging setup.

    -jml

--- original message ---
From: "Kay Avila" <kay.avila () UNI EDU>
Subject: Re: [SECURITY] DMCA and NAT
Date: December 1, 2011
Time: 9:39:43

Cisco's ASAs won't log NAT bind - setups and teardowns - unless you
go to "debug" level.


As for the logging on the ASA, you can do that without turning on debug.
  You can adjust the level of individual log entries on the ASAs so you
don't have to enable all debugging to see NAT setup/teardown.

So if you find the log ids for the NAT setups and teardowns (see [1]),
you can change the severity level of the message -

logging message <message id> level <new level>

[1]
http://www.cisco.com/en/US/docs/security/asa/asa84/system/message/logmsgs.html

Kay Avila

--
Kay Avila
Network Engineer, ITS-Network Services
15 Curris Business Building, Cedar Falls, IA 50614-0121
kay.avila () uni edu  Phone: 319-273-5924  Fax: 319-273-7373

On 11/29/2011 2:20 PM, John Ladwig wrote:

Second the comment re: "insane" level of campus-border firewall logging necessary to respond to lawful requests.  
We're over 100GB/day across our 60ish campuses.

Cisco's ASAs won't log NAT bind - setups and teardowns - unless you go to "debug" level.  We do have a few of 
noisy+useless message IDs which we don't send as well.  Dunno how much volume that saves us, though.

    -jml

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave G 
Bulanda
Sent: Tuesday, 29 November, 2011 10:44
To: The EDUCAUSE Security Constituent Group Listserv; John Ladwig
Subject: Re: [SECURITY] DMCA and NAT

Kevin,

The way that I handle the DMCA and NAT issue is that I run syslog of my border firewall in a somewhat "INSANE" level.

Match Outside address to inside address - Take the inside address and match via NAC system and DHCP logs to client 
machine.

[ ... ]

Current thread:

DMCA and NAT Kevin Halgren (Nov 29)
- Re: DMCA and NAT Bulanda, Dave G (Nov 29)
  - Re: DMCA and NAT Daniel Bennett (Nov 29)
    - Re: DMCA and NAT Brian Helman (Nov 29)
    - Re: DMCA and NAT John Kaftan (Nov 30)
    - Re: DMCA and NAT SCHALIP, MICHAEL (Nov 30)
    - Re: DMCA and NAT Joel Rosenblatt (Nov 30)
    - Re: DMCA and NAT Tim Doty (Nov 30)
  - Re: DMCA and NAT John Ladwig (Nov 29)
    - Re: DMCA and NAT Kay Avila (Dec 01)
    - Re: DMCA and NAT John Ladwig (Dec 01)
- Message not available
  - Re: DMCA and NAT hall, rand (Nov 30)
    - Re: DMCA and NAT SCHALIP, MICHAEL (Nov 30)
    - Re: DMCA and NAT Everett, Alex D (Nov 30)
    - Re: DMCA and NAT hall, rand (Nov 30)
    - Re: DMCA and NAT Brian Helman (Nov 30)
- Re: DMCA and NAT Anthony Maszeroski (Nov 30)