Submit a ticketCall us

WebinarUpcoming Webinar: How Help Desk and Remote Support Pays for Itself

Learn how help desk software can simplify ticketing management, allow you to track hardware and software assets, and accelerate the speed of IT support and service delivery. Gain insights on how remote support tools allow your IT team to maximize their efficiency and ticket resolution by expediting desktop troubleshooting, ultimately helping keep end-users happy and productive.

Register here.

Home > Success Center > Log & Event Manager (LEM) > Cisco ASA - Session/NAT build-ups and teardowns

Cisco ASA - Session/NAT build-ups and teardowns

Table of contents

Updated February 10th, 2016


With regards to the buildup NAT events from the ASA, we've actually recently developed a mechanism where customers can "opt in" to receiving these events in their normalized alert stream by reassigning their severity level to one we'll look for and normalize.


  • LEM


There are a few things to consider:
  1. If it's "accepted traffic" that you're interested in monitoring, consider using the "log" target in your accept ACLs instead of the buildup logging. This lets you control what accepted traffic you're made aware of.
  2. If it's the information about the actual NAT (as posted above) that you're interested in monitoring, consider the event load this will create. You might want to plan a "test phase" where you turn it on, determine if it's valuable to you for investigating (try some test scenarios), and then turn it off if you determine it's more noise than it's worth. Some people do find value in it, some people choose to turn it back off because of the noise.
  3. You can always consider the nDepth original log message store, as described above, if you're interested in unmodified log data (vs. the normalized data). For some people, this is a better solution, but it does consume disk space.
  4. Consider whether you need both buildups and teardowns, or just buildup messages. The teardown NAT messages include the same info as the built messages, along with some duration and size info that may or may not be useful. A lot of colleges & universities that are using the built messages do not rely on the teardown messages, they only need to know a connection was established for verification/analysis/correlation.
  5. Look at your own syslog data to determine which buildup and/or teardown events are of interest and use to you. There's a big list, but if it's really only one or two you care about, you can just enable those instead of everything.
To enable the buildup NAT events to be caught by the latest LEM connector, you'll need to adjust the severity level of those events to "0" from "6" (the default). For info about changing the severity level of an ASA message, check out this Cisco command reference link (© 2017 Cisco, available at, obtained on February 24th, 2017.).  The primary "built" event you'll be interested in for TCP tracking is 302013. Others include 302015, 302017, 302020, 302303, 305009, 305011, and 609011, but you'll want to check the descriptions in the Cisco System Log Messages Guide (© 2017 Cisco, available at, obtained on February 24th, 2017.) (will take a bit to load) to make sure those are of interest to you. LEM out of the box will capture 302003, 302009, and 603108 as we've determined these are low-noise high-relevance.



Last modified