When I’m troubleshooting networks it is more reliable for me to do a packet capture (also called sniffing) because that way I can trust that traffic is passing through correctly on the device I’m working on.

If you have a Cisco ASA (doesn’t matter the version or model) and you need to troubleshoot the device just in case someone is complaining that traffic is being blocked by the firewall, you just need to use the following syntax and you’ll be able to do a packet capture directly on the ASA:

capture <capture_name> interface <interface_id> match [filter]

Where:

  • <capture_name>: Identifies the capture
  • <interface_id>: Applies the capture on the specified interface, eg. inside, outside, dmz, etc.
  • [filter]: Searches for the desired traffic using the following keywords (always respecting the Cisco syntax)
    • protocol [any] [host <source_ip>] [eq source_port] [any] [host <destination_ip>] [eq destination_port]
    • The valid values for the protocol field are:
      • IP
      • TCP
      • UDP
      • ICMP

Examples:

In the case you want to capture any destination HTTP traffic sourced from 192.168.1.10 (NATed to public IP address 1.2.3.4), on both inside and outside interfaces, apply the following commands:

Inside interface

capture inside interface inside match tcp host 192.168.1.10 any eq 80

Outside interface

capture inside interface outside match tcp host 1.2.3.4 any eq 80

The outside capture might capture more packets than expected, because probably there are more users on the network using HTTP (the most common protocol on the Internet 🙂 ) so just make sure to identify the proper traffic.

 

Now, what if you want to capture pings to Google in order to verify network connectivity:

capture icmp interface outside match icmp any host 8.8.8.8 echo

capture icmp interface outside match icmp any host 8.8.8.8 echo-reply

 

Hope this gives you an idea of how packet capture works on ASA.

 

Please don’t hesitate to comment for any questions or doubts about ASA Packet Capture

Hola Mundo!

Posted by miguelraulb | Uncategorized

Bienvenido a www.mkrul.mx

Aquí publicaré algunas de las cosas que he descubierto en el mundo de la seguridad informática, instalación y configuración de herramientas, scripts, etc. Además compartiré un poco de mis gustos y aficiones, especialmente la música electrónica (Trance, House, Dubstep, Progressive, etc..)

No olvides dejar un comentario y gracias por la visita!