• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 557
  • Last Modified:

Cisco ASA - How can I tell which inside host is causing the most traffic, and which outside host it's connecting to?

I have a Cisco ASA 5505 setup with CLI and ASDM access.  The unit is configured with a DMZ, an outside interface, and an inside interface.  The LAN is mostly flat, with a single inside route to a separate segment that is isolated for security reasons.  There are (2) IPSec VPNs terminating on this edge device (Cisco ASA 5505).

In front of the ASA is a Cisco 1800 router that routes a /28 subnet down from our ISP.  We own the Cisco 1800 as well as the Cisco ASA.

We are seeing sporadic utilizations spikes that I need to track down, and I can't seem to figure out the best way to do this.  What I need to know is WHICH inside hosts this traffic is going to, and WHICH outside hosts are causing it....we can't tell if the VPN is causing the traffic spike, or if it's one of the inside web hosts, etc...the only thing I CAN tell is that it is NOT the DMZ hosts causing the issue.

If anyone has any advice, I would appreciate it.  
1 Solution
Istvan KalmarHead of IT Security Division Commented:

The "sh xlate' tells how many nat translation connection has per outside address
One of the tabs on ASDM interface has history metrics that can be enabled, and if I remember correctly, highest traffic for inside and outside hosts are some parameters that are monitored by default.  You may need to click on the enable button to for each graph separately.

jkeegan123Author Commented:
ikalmar:  SH XLATE is basically useless as all it shows is the number of translations.  A single page opening that has 30-40 graphics to load will open up a ton of translations; I need to know the PC or SERVER causing the traffic spike.

KuoH:  I am not able to find this, can you please be mroe specific?  

I don't have an ASA accessible right now, but I was able to find a Cisco document that describes it.

If you click on the Firewall Dashboard tab, you'll see a window like the one in the link below.  At the bottom right, you can see a frame with a Top 10 Services, Top 10 Sources and Top 10 Destinations tab.  If you click the "enable" button in each of those windows, it will start to track those statistics.  After awhile, it should populate the list with the top 10 IPs and amount of hits each counter has received.  Hopefully, that will help narrow down the suspects.


Pulling up that screen that automatically graphs things is best.  I'm not sure if the 5510 does it or not, but Cisco was supposed to allow ASA's to export netflow data very soon on new(er) code.  Not sure if that is a help to you or not.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now