Trusted Contributor.
Trusted Contributor.

sourceTranslatedAddress and destinationTranslatedAddress in wrong locations for UDP traffic.

Hello all.  Seems for UDP traffic, we have run into a bit of an issue when it comes to data mapped from our CISCO ASA Firewall devices.  The sourceTranslatedAddress and destinationTranslatedAddress are swapped.  An example is below.  the sourceTranslatedAddress should be and the destinationTranslatedAddress should be  This issue does not exist for TCP traffic.  Is there any fix?

sourceAddress     sourceTranslatedAddress     destinationAddress     destinationTranslatedAddress      




UDP traffic coming from our Cisco ASA is being

2 Replies
Acclaimed Contributor.
Acclaimed Contributor.


1 : you can use TCP instead of UDP (its the easiest way to do it. since already noticed it)

2: Set getter and setter in your connector mapping file. 

Knowledge Partner Knowledge Partner
Knowledge Partner


Looks interesting - do you know for which exact message this happens?

Have a look into https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.pdf  this is the reference guide for Cisco Messages. As far as i know the parsers are implemented very narrow on this guide.

DeviceEbenetClassID holds the message NR.


I had a look at  a RAW message in our environment (IP's anonymized):

"%ASA-6-302015:  Built outbound UDP connection 1233 for outside: ( to interface: ("

outside ( goes into sourceAddress and sourceTranslatedAddress

destinationAddress is filled with
destinationTranslatedAddress  is

as long as the device does not know about the translation for outside, this makes total sense to me. 

What about the Raw event, do sou see all 3 or 4 addresses in there?

Maybe you can share some details...



From the PDF

Error Message %ASA-6-302015: Built {inbound|outbound} UDP connection number for interface_name
:real_address /real_port (mapped_address /mapped_port ) [(idfw_user )] to interface_name
:real_address /real_port (mapped_address /mapped_port )[(idfw_user )] [(user )]
Explanation A UDP connection slot between two hosts was created. The following list describes the message
• number—A unique identifier
• interface, real_address, real_port—The actual sockets
• mapped_address and mapped_port—The mapped sockets
• user—The AAA name of the user
• idfw_user —The name of the identity firewall user
If inbound is specified, then the original control connection is initiated from the outside. For example, for
UDP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified,
then the original control connection is initiated from the inside.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.