Cisco ASA - How can I tell which inside host is causing the most traffic, and which outside host it's connecting to?

I have a Cisco ASA 5505 setup with CLI and ASDM access.  The unit is configured with a DMZ, an outside interface, and an inside interface.  The LAN is mostly flat, with a single inside route to a separate segment that is isolated for security reasons.  There are (2) IPSec VPNs terminating on this edge device (Cisco ASA 5505).

In front of the ASA is a Cisco 1800 router that routes a /28 subnet down from our ISP.  We own the Cisco 1800 as well as the Cisco ASA.

We are seeing sporadic utilizations spikes that I need to track down, and I can't seem to figure out the best way to do this.  What I need to know is WHICH inside hosts this traffic is going to, and WHICH outside hosts are causing it....we can't tell if the VPN is causing the traffic spike, or if it's one of the inside web hosts, etc...the only thing I CAN tell is that it is NOT the DMZ hosts causing the issue.

If anyone has any advice, I would appreciate it.  
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Istvan KalmarHead of IT Security Division Commented:

The "sh xlate' tells how many nat translation connection has per outside address
One of the tabs on ASDM interface has history metrics that can be enabled, and if I remember correctly, highest traffic for inside and outside hosts are some parameters that are monitored by default.  You may need to click on the enable button to for each graph separately.

jkeegan123Author Commented:
ikalmar:  SH XLATE is basically useless as all it shows is the number of translations.  A single page opening that has 30-40 graphics to load will open up a ton of translations; I need to know the PC or SERVER causing the traffic spike.

KuoH:  I am not able to find this, can you please be mroe specific?  

I don't have an ASA accessible right now, but I was able to find a Cisco document that describes it.

If you click on the Firewall Dashboard tab, you'll see a window like the one in the link below.  At the bottom right, you can see a frame with a Top 10 Services, Top 10 Sources and Top 10 Destinations tab.  If you click the "enable" button in each of those windows, it will start to track those statistics.  After awhile, it should populate the list with the top 10 IPs and amount of hits each counter has received.  Hopefully, that will help narrow down the suspects.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Pulling up that screen that automatically graphs things is best.  I'm not sure if the 5510 does it or not, but Cisco was supposed to allow ASA's to export netflow data very soon on new(er) code.  Not sure if that is a help to you or not.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.