Submit a ticketCall us

Announcing NCM 7.7
With NCM 7.7, you can examine the rules that make up an access control list for a Cisco ASA device. Then you can apply filters to display only rules that meet the specified criteria, order the rules by line number or by the hit count, and much more.
See new features and improvements.

Home > Success Center > Log & Event Manager (LEM) > Cisco ASA - Session/NAT build-ups and teardowns

Cisco ASA - Session/NAT build-ups and teardowns

Table of contents

Updated February 10th, 2016


With regards to the buildup NAT events from the ASA, we've actually recently developed a mechanism where customers can "opt in" to receiving these events in their normalized alert stream by reassigning their severity level to one we'll look for and normalize.


  • LEM


There are a few things to consider:
  1. If it's "accepted traffic" that you're interested in monitoring, consider using the "log" target in your accept ACLs instead of the buildup logging. This lets you control what accepted traffic you're made aware of.
  2. If it's the information about the actual NAT (as posted above) that you're interested in monitoring, consider the event load this will create. You might want to plan a "test phase" where you turn it on, determine if it's valuable to you for investigating (try some test scenarios), and then turn it off if you determine it's more noise than it's worth. Some people do find value in it, some people choose to turn it back off because of the noise.
  3. You can always consider the nDepth original log message store, as described above, if you're interested in unmodified log data (vs. the normalized data). For some people, this is a better solution, but it does consume disk space.
  4. Consider whether you need both buildups and teardowns, or just buildup messages. The teardown NAT messages include the same info as the built messages, along with some duration and size info that may or may not be useful. A lot of colleges & universities that are using the built messages do not rely on the teardown messages, they only need to know a connection was established for verification/analysis/correlation.
  5. Look at your own syslog data to determine which buildup and/or teardown events are of interest and use to you. There's a big list, but if it's really only one or two you care about, you can just enable those instead of everything.
To enable the buildup NAT events to be caught by the latest LEM connector, you'll need to adjust the severity level of those events to "0" from "6" (the default). For info about changing the severity level of an ASA message, check out this Cisco command reference link (© 2017 Cisco, available at, obtained on February 24th, 2017.).  The primary "built" event you'll be interested in for TCP tracking is 302013. Others include 302015, 302017, 302020, 302303, 305009, 305011, and 609011, but you'll want to check the descriptions in the Cisco System Log Messages Guide (© 2017 Cisco, available at, obtained on February 24th, 2017.) (will take a bit to load) to make sure those are of interest to you. LEM out of the box will capture 302003, 302009, and 603108 as we've determined these are low-noise high-relevance.



Last modified
15:35, 24 Feb 2017