I have a scenario where we are migrating connections between providers, and during the process both old and new public IP's are valid. In this situation traffic can enter from either outside2 (old provider) or outside3 (new provider), destined for a host on dmz1. When I look at the LEM normalized data, I only have source machine (real address), Destination Machine (real address), and Interface (output interface) with which to filter. Lost in the normalization are the source interface, and destination mapped address. All of the data is contained in the raw message:
%ASA-6-302013: Built inbound TCP connection 318371347 for outside2:1.97.24.19/50728 (1.97.24.19/50728) to dmz1:10.29.18.82/22 (4.5.6.7/22)
For reference, the log format for this message is:
%ASA-6-302013: Built {inbound|outbound} TCP connection_id for interface : real-address / real-port ( mapped-address/mapped-port) [( idfw_user)] to interface : real-address / real-port ( mapped-address/mapped-port) [( idfw_user)] [( user)]
Is it possible to build a filter based on the raw data so I can limit searches based on either source interface or destination mapped IP? Or if I can't filter, is it possible to use ndepth to search the raw data? So far I haven't been successful with the raw data search, but I'm still learning the ropes around LEM.
