Is too much to ask nslookup on syslogs?

itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
hey guys
am I dreaming but it sure would be nice to have a url address next to the ip address in my systlogs. I mean I would like to know what each IP that is traversing my network thru my ASA 5505 is going to or coming from. I know some of the ip addresses but gee am I asking to much of cisco to translate each ip address into a human readable URL address (domain address) so I know what domain it is coming from vs me having do an nslookup on each ip address which can be quite a few and then I forget which ones came from where? Can anyone help me find a tool or can ASA do that? or do I have to the the 10,000 ASA to do something as simple as nslookup on each ip that comes thru be nice in the syslogs I could see that..;) it just would be nice to have a heading URL and be able to sort and see the names of domains vs ip addresses this just makes me nutz...it is the programmer in me that knows there has to be away..

Comments

  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    Then tell your syslog server to do that.... or change to a syslog server that can do it.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • APAAPA Member Posts: 959
    dude imagine the amount of overheads you would place on the ASA just so you could have a easy to read syslog file.

    Asking the ASA to dns lookup every network range coming into your ASA..... every time it comes in???? jesus....

    Why don't you manually nslookup\DiG... then instead of forcing yourself to remember set a name with the asa

    like

    names
    name x.x.x.x techexams.net
    name x.x.x.x itdaddy.askstoomuch.oftheasa.com
    name x.x.x.x whydon't.asas.likeipv6tunnels.com

    :D

    Hope this helps...not as dynamic as you probably would like but it would sure save you the hassle of troubleshooting why your ASA is underperforming... ;p

    This is how I like to see my syslog... you don't need to spend on a syslog app that can perform nslookups...and the syslog info is dumped from the ASA to the syslog file as a FQDN.

    However... you don't get the IP address...only the FQDN...

    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    I have managed firewalls that can do this. When I enable it, my clients web browsing slows to a crawl on my 400 +/- network.

    However, if you have a seperate syslog server you want to enable this on it might work. Just do like Mike suggested - find a syslog server with that feature.
    All things are possible, only believe.
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    sprkymrk

    that is what i am talking about. I program on the side and I am sure the ASDM can do the work separate using my PC as the processing power. I am not asking the ASA to do that.
    I am asking my ASDM to do that and use the processing power on the pc I am using. It is a matter of application function and design...ASDM is suppose to by nature be a Human interface. It is very time consuming to look up 100s of IPs. The ASDM by architecture
    should be able to use my pc independant of the ASA processor. Someone say amen!

    But yeah I should not have to get a 3 rd party software it should just do it. I am constantly
    having to modify stuff on other people's systems just to get it to work. Just people need to put themselves in the user persective that is all. The ASDM should do it by toggling between pulling data from ASA and its own thing like Nslookup on my local machine as it pulls syslogs thru I dont mine alittle latency on my PC...I know it can be done but sucks that they dont think of this..I bet if I bought he high-end ASA's it would have it just my 2cents..I see it all the time you have to buy the upgrade to get this..
    sorry i sound like a jerk but not mean to do just dissppointed...
    thanks guys!

    Where do I find one; free that is haahahha can I enable Cisco ASA 5505 to do that??
    it only happens at night all this activity I know some ips
    of course but when it says domain.ne i get nervous if you know what i mean..
    i will look for one

    any suggestion on a systlog server free that does this..i can look but you guys are the experts...i am still a wanna be ;)
    thanks

    do you know if ASDM 6.x series has the nslookup function????
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    :mike: Cisco Certifications -- Collect the Entire Set!
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    thank big guy! fantastic ;)
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Just remember, a syslog server is not a replacement for an IDS.

    If you are worried about stuff like what you posted here, you could try blocking entire networks by country codes. Places like China and Taiwan have no need to access my network, so therefore they are blocked.
    All things are possible, only believe.
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    sprkymrk

    that is a great idea spkrymrk wow! never thought I could do that. IS via ACL ? do I have
    define it first or where can I look to config and understand that; yeah that is exaclty what I want to do block europe from my home if you know what i mean :)
    I see way too may hits from netherlands, belgium etc...and those spots as you all know are the hot spots and no need for them even accessing my gateway..thanks ;)
    super
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    How about something like this?

    Country IP Blocks: Network Allocations by Country with Searchable IP Database

    Select the country you want to block, hit submit, and it will return all the IP's owned/registered by that country. You know how to build an ACL, so that should get you going. icon_cool.gif
    All things are possible, only believe.
  • itdaddyitdaddy Member Posts: 2,089 ■■■■□□□□□□
    sweet thank you yeah i ahve some work aheaad of me and i am really stoked to get my tunnelgoing i am just lazy and wanted to just have my asa do it since i paid so much money for andn i only paid 100.00 for my 831 soho haahahha got to love it haha
    oh well it is all about learning really so i just dont care; i kind only wanted limited devices but well I guess my soho will be my internal router. thanks yeah firewall stuff is a bummer but it is kind of fun to see who is trying to get to you and the blocking their buttocks! haha
    haha
    thanks spkymrk and mikeJ and the rest and EdTheLand dude you really got me
    i laughed so hard when you said i was lying cuse you said lie ahahahaahah haah
    haaha you really got me so bad haaha;) good one;)
  • mikearamamikearama Member Posts: 749
    A.P.A wrote: »
    names
    name x.x.x.x techexams.net
    name x.x.x.x itdaddy.askstoomuch.oftheasa.com
    name x.x.x.x whydon't.asas.likeipv6tunnels.com

    :D

    name x.x.x.x ohmygod.net
    name x.x.x.x thatsfunnyas.hell.com

    Nicely done, APA.

    I wish cisco would steal the whois/dnslookup features from our TopLayer IPS's. In the verbage of the alert from any deny, you can right-click on the offending IP, and two of the options in the dropdown menu are "whois" and "dnslookup". Clicking whois opens a browser that to the arin.net whois page. Bloody brilliant.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
Sign In or Register to comment.