FEATURE REQUEST: Track Cisco firewall NAT builds in LEM normalized database

With regards to the buildup NAT events from the ASA, we've actually recently developed a mechanism where customers can "opt in" to receiving these events in their normalized alert stream by reassigning their severity level to one we'll look for and normalize.

There are a few things to consider:

1. If it's "accepted traffic" that you're interested in monitoring, consider using the "log" target in your accept ACLs instead of the buildup logging. This lets you control what accepted traffic you're made aware of.
2. If it's the information about the actual NAT (as posted above) that you're interested in monitoring, consider the event load this will create. You might want to plan a "test phase" where you turn it on, determine if it's valuable to you for investigating (try some test scenarios), and then turn it off if you determine it's more noise than it's worth. Some people do find value in it, some people choose to turn it back off because of the noise.
3. You can always consider the nDepth original log message store, as described above, if you're interested in unmodified log data (vs. the normalized data). For some people, this is a better solution, but it does consume disk space.
4. Consider whether you need both buildups and teardowns, or just buildup messages. The teardown NAT messages include the same info as the built messages, along with some duration and size info that may or may not be useful. A lot of colleges & universities that are using the built messages do not rely on the teardown messages, they only need to know a connection was established for verification/analysis/correlation.
5. Look at your own syslog data to determine which buildup and/or teardown events are of interest and use to you. There's a big list, but if it's really only one or two you care about, you can just enable those instead of everything.

To enable the buildup NAT events to be caught by the latest LEM connector, you'll need to adjust the severity level of those events to "0" from "6" (the default). For info about changing the severity level of an ASA message, check out this Cisco command reference link.  The primary "built" event you'll be interested in for TCP tracking is 302013. Others include 302015, 302017, 302020, 302303, 305009, 305011, and 609011, but you'll want to check the descriptions in the Cisco System Log Messages Guide (will take a bit to load) to make sure those are of interest to you. LEM out of the box will capture 302003, 302009, and 603108 as we've determined these are low-noise high-relevance.

Similarly, you can enable teardown NAT events. The teardown sibling to 302013 is 302014, but others include 302016, 302018, 302021, 302304, 305010, 305012, 617100, and 609002. LEM out of the box will capture 603019 (the sibling to 603019).

Currently if you follow these instructions the LEM connector download out on the portal will only capture the buildup NAT TCP event, but we're working on an update that will capture the others after multiple customer requests. You can prepare by following these instructions (the events will be dropped for now), and I'll update this post when that update is live.

Also, Gary, I think support contacted you yesterday with the same answer, but I'm happy to close the loop here on thwack, too!

Nicole,

Yes, I heard from LEM Support regarding the configuration settings to receive the NAT translation messages on the LEM. I had to upgrade the Cisco Tools on the LEM as part of enabling this ability, and I also made the changes you noted. There is still some development work that the LEM team has in the works before all of the Cisco messages are visible and they are going to call me back when they’ve completed it.

Thanks,

Gary

Hey Gary,

If you haven't heard yet, this is in the current downloadable Connectors Update Package on the Customer Portal. In that update, we've followed the same pattern of mapping all of the buildup/teardown events to alerts when they occur at severity 0 and letting you choose which ones you want to see in real-time.