When I’m troubleshooting networks it is more reliable for me to do a packet capture (also called sniffing) because that way I can trust that traffic is passing through correctly on the device I’m working on.
If you have a Cisco ASA (doesn’t matter the version or model) and you need to troubleshoot the device just in case someone is complaining that traffic is being blocked by the firewall, you just need to use the following syntax and you’ll be able to do a packet capture directly on the ASA:
capture <capture_name> interface <interface_id> match [filter]
- <capture_name>: Identifies the capture
- <interface_id>: Applies the capture on the specified interface, eg. inside, outside, dmz, etc.
- [filter]: Searches for the desired traffic using the following keywords (always respecting the Cisco syntax)
- protocol [any] [host <source_ip>] [eq source_port] [any] [host <destination_ip>] [eq destination_port]
- The valid values for the protocol field are:
In the case you want to capture any destination HTTP traffic sourced from 192.168.1.10 (NATed to public IP address 184.108.40.206), on both inside and outside interfaces, apply the following commands:
capture inside interface inside match tcp host 192.168.1.10 any eq 80
capture inside interface outside match tcp host 220.127.116.11 any eq 80
The outside capture might capture more packets than expected, because probably there are more users on the network using HTTP (the most common protocol on the Internet 🙂 ) so just make sure to identify the proper traffic.
Now, what if you want to capture pings to Google in order to verify network connectivity:
capture icmp interface outside match icmp any host 18.104.22.168 echo
capture icmp interface outside match icmp any host 22.214.171.124 echo-reply
Hope this gives you an idea of how packet capture works on ASA.
Please don’t hesitate to comment for any questions or doubts about ASA Packet Capture