Cisco ASA - How can I tell which inside host is causing the most traffic, and which outside host it's connecting to?
I have a Cisco ASA 5505 setup with CLI and ASDM access. The unit is configured with a DMZ, an outside interface, and an inside interface. The LAN is mostly flat, with a single inside route to a separate segment that is isolated for security reasons. There are (2) IPSec VPNs terminating on this edge device (Cisco ASA 5505).
In front of the ASA is a Cisco 1800 router that routes a /28 subnet down from our ISP. We own the Cisco 1800 as well as the Cisco ASA.
We are seeing sporadic utilizations spikes that I need to track down, and I can't seem to figure out the best way to do this. What I need to know is WHICH inside hosts this traffic is going to, and WHICH outside hosts are causing it....we can't tell if the VPN is causing the traffic spike, or if it's one of the inside web hosts, etc...the only thing I CAN tell is that it is NOT the DMZ hosts causing the issue.
If anyone has any advice, I would appreciate it.
In front of the ASA is a Cisco 1800 router that routes a /28 subnet down from our ISP. We own the Cisco 1800 as well as the Cisco ASA.
We are seeing sporadic utilizations spikes that I need to track down, and I can't seem to figure out the best way to do this. What I need to know is WHICH inside hosts this traffic is going to, and WHICH outside hosts are causing it....we can't tell if the VPN is causing the traffic spike, or if it's one of the inside web hosts, etc...the only thing I CAN tell is that it is NOT the DMZ hosts causing the issue.
If anyone has any advice, I would appreciate it.
One of the tabs on ASDM interface has history metrics that can be enabled, and if I remember correctly, highest traffic for inside and outside hosts are some parameters that are monitored by default. You may need to click on the enable button to for each graph separately.
KuoH
KuoH
ASKER
ikalmar: SH XLATE is basically useless as all it shows is the number of translations. A single page opening that has 30-40 graphics to load will open up a ton of translations; I need to know the PC or SERVER causing the traffic spike.
KuoH: I am not able to find this, can you please be mroe specific?
Thanks!
KuoH: I am not able to find this, can you please be mroe specific?
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Pulling up that screen that automatically graphs things is best. I'm not sure if the 5510 does it or not, but Cisco was supposed to allow ASA's to export netflow data very soon on new(er) code. Not sure if that is a help to you or not.
The "sh xlate' tells how many nat translation connection has per outside address