PDF(59.8 KB) View with Adobe Reader on a variety of devices
ePub(73.4 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(72.9 KB) View on Kindle device or Kindle app on multiple devices
Updated:February 10, 2015
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document explains how the Cisco Intrusion Prevention System (IPS) displays untranslated real IP addressess in the event logs, although the Adaptive Security Appliance (ASA) sends traffic to the IPS after it performs Network Address Translation (NAT).
The Private IP address of the server: 192.168.1.10
The Public IP address of the server (Natted): 203.0.113.2
The attacker's IP address: 203.0.113.10
How does IPS display untranslated real IP addresses in event logs?
When the ASA sends a packet to IPS, it encapsulates that packet into a Cisco ASA/Security Services Module (SSM) Backplane Protocol header. This header contains a field that represents the real IP address of the inside user behind the ASA.
These logs show an attacker that sends Internet Control Message Protocol (ICMP) packets to the public IP address of the server, 203.0.113.2. The packet captured on the IPS shows that the ASA punts the packets to IPS after performing NAT.
IPS# packet display PortChannel0/0 Warning: This command will cause significant performance degradation tcpdump: WARNING: po0_0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on po0_0, link-type EN10MB (Ethernet), capture size 65535 bytes 03:40:06.239024 IP 203.0.113.10 > 192.168.1.10: ICMP echo request, id 512, seq 31232, length 40 03:40:06.239117 IP 203.0.113.10 > 192.168.1.10: ICMP echo request, id 512, seq 31232, length 40 03:40:06.239903 IP 203.0.113.2 > 203.0.113.10: ICMP echo reply, id 512, seq 31232, length 40 03:40:06.239946 IP 203.0.113.2 > 203.0.113.10: ICMP echo reply, id 512, seq 31232, length 40
Here are the event logs on IPS for ICMP Request packets from the attacker.