Руководство По Устранению Ошибки для Cisco Cisco ASA 5525-X Adaptive Security Appliance - No Payload Encryption
ASA/IPS FAQ:How does IPS display untranslated
real IP addresses in event logs?
real IP addresses in event logs?
Document ID: 118729
Contributed by Prashant Joshi and Dinkar Sharma, Cisco TAC
Engineers.
Feb 10, 2015
Engineers.
Feb 10, 2015
Contents
Introduction
Background Information
How does IPS display untranslated real IP addresses in event logs?
Related Information
Background Information
How does IPS display untranslated real IP addresses in event logs?
Related Information
Introduction
This document explains how the Cisco Intrusion Prevention System (IPS) displays untranslated real IP
addressess in the event logs, although the Adaptive Security Appliance (ASA) sends traffic to the IPS after it
performs Network Address Translation (NAT).
addressess in the event logs, although the Adaptive Security Appliance (ASA) sends traffic to the IPS after it
performs Network Address Translation (NAT).
Background Information
Topology
The Private IP address of the server: 192.168.1.10
♦
The Public IP address of the server (Natted): 203.0.113.2
♦
The attacker's IP address: 203.0.113.10
♦
How does IPS display untranslated real IP addresses in
event logs?
event logs?
Explanation
When the ASA sends a packet to IPS, it encapsulates that packet into a Cisco ASA/Security Services Module
(SSM) Backplane Protocol header. This header contains a field that represents the real IP address of the inside
user behind the ASA.
(SSM) Backplane Protocol header. This header contains a field that represents the real IP address of the inside
user behind the ASA.
These logs show an attacker that sends Internet Control Message Protocol (ICMP) packets to the public IP
address of the server, 203.0.113.2. The packet captured on the IPS shows that the ASA punts the packets to
address of the server, 203.0.113.2. The packet captured on the IPS shows that the ASA punts the packets to