Highlighted
Trusted Contributor.
Trusted Contributor.
508 views

sourceTranslatedAddress and destinationTranslatedAddress in wrong locations for UDP traffic.

Hello all.  Seems for UDP traffic, we have run into a bit of an issue when it comes to data mapped from our CISCO ASA Firewall devices.  The sourceTranslatedAddress and destinationTranslatedAddress are swapped.  An example is below.  the sourceTranslatedAddress should be 181.133.202.63 and the destinationTranslatedAddress should be 65.232.122.232.  This issue does not exist for TCP traffic.  Is there any fix?

sourceAddress     sourceTranslatedAddress     destinationAddress     destinationTranslatedAddress
192.168.1.1       65.232.122.232              65.232.122.232           181.133.202.63 

 

 

 

UDP traffic coming from our Cisco ASA is being

0 Likes
2 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Hi,

1 : you can use TCP instead of UDP (its the easiest way to do it. since already noticed it)

2: Set getter and setter in your connector mapping file. 

Mr
0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Hi

Looks interesting - do you know for which exact message this happens?

Have a look into https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.pdf  this is the reference guide for Cisco Messages. As far as i know the parsers are implemented very narrow on this guide.

DeviceEbenetClassID holds the message NR.

UPDATE:

I had a look at  a RAW message in our environment (IP's anonymized):

"%ASA-6-302015:  Built outbound UDP connection 1233 for outside: 8.8.8.8/53 (8.8.8.8/53) to interface:192.168.1.1/19759 (4.4.4.4/19759)"

outside (8.8.8.8) goes into sourceAddress and sourceTranslatedAddress

destinationAddress is filled with 192.168.1.1
destinationTranslatedAddress  is 4.4.4.4

as long as the device does not know about the translation for outside, this makes total sense to me. 

What about the Raw event, do sou see all 3 or 4 addresses in there?

Maybe you can share some details...

Cheers

 

From the PDF

302015
Error Message %ASA-6-302015: Built {inbound|outbound} UDP connection number for interface_name
:real_address /real_port (mapped_address /mapped_port ) [(idfw_user )] to interface_name
:real_address /real_port (mapped_address /mapped_port )[(idfw_user )] [(user )]
Explanation A UDP connection slot between two hosts was created. The following list describes the message
values:
• number—A unique identifier
• interface, real_address, real_port—The actual sockets
• mapped_address and mapped_port—The mapped sockets
• user—The AAA name of the user
• idfw_user —The name of the identity firewall user
If inbound is specified, then the original control connection is initiated from the outside. For example, for
UDP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified,
then the original control connection is initiated from the inside.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.