• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 472
  • Last Modified:

How do I set up a packet capture on the Inside interface of my ASA 5510

Hello all,
We have a recently installed ASA5510 - at present, only our internal internet access should be flowing through it. I have been monitoring traffic flow and noticed some strange bursts of activity on the inside and outside interface every hour.
I have set up a packet capture on the inside interface using the current access list that is on it:

access-list INSIDE_ACCESS_OUT extended permit tcp any eq www any
access-list INSIDE_ACCESS_OUT extended permit ip
access-list INSIDE_ACCESS_OUT extended permit tcp any eq https any
access-list INSIDE_ACCESS_OUT extended permit icmp any any
access-list INSIDE_ACCESS_OUT extended permit icmp any any echo-reply
access-group INSIDE_ACCESS_OUT out interface Inside

This didn't quite do the biz as it only captured packets that matched the access list. What I would like to do is capture all traffic that flows In to the Inside interface so i can ascertain what IP is sending and receiving at odd hours of the day.

At the moment the security level of the interface allows all traffic to flow to the Outside interface without matching an access-list. To avoid this, and therefore capture all traffic, would I be able to do the following:
>Remove the INSIDE_ACCESS_OUT access-list from the Inside interface.
>Add an access list "Permit ip any any" to the inside interface (inward direction)  
>set the security level on the inside interface to 0
>Capture any packets that hit the "permit ip any any" access list.

Am I asking for trouble doing this, or does the "permit ip any any" access list provide the same functionality as the "secuirty-level 100" command on the interface?
Any suggestions would be greatly appreciated
  • 4
  • 3
1 Solution
It may be best to setup the capture on the switchport where your "inside" interface is connected to.  Once you figure out the traffic pattern, then you can construct the proper ACLs on the firewall.  Are you using a cisco switch internally by any chance?

if so, assuming FW - inside is on int gi0/1 and you have a sniffer on int gi0/2
do the following on switch -
conf t
monitor session 1 source int gi0/1 both
monitor session 1 destination int gi0/2
wr me

use ethereal to capture the traffic and perform your analysis then.
if you're using a non-cisco switch, but the switch is managed, you should still be able to setup the port mirroring.
dannyrushtonAuthor Commented:
Thanks for the reply ciscoml320 - We are using Cisco throughout the network, however the switch the ASA plugs into is a Catalyt4000 module with IOS 7.6(7) - will this magic work on the IOS version?
dannyrushtonAuthor Commented:
To add to the above...
Why do you suggest a capture on the switch would be better? I foresee leaving the packet capture on catching everything that passes through the inside i/f being a bit dodgy as it put a heavy demand on the ASA's memory. Being that I know what time of day each mystery burst of traffic happens (:50 minutes past each hour) would it be quicker and easier to set the capture running on the inside i/f of the ASA at xx:45pm and turn it off at xx:00pm?
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

it is a matter of preference, also using an outside sniffer gives you more flexibility in capturing packets without worrying about filling up any buffers.
so, on the firewall
adding an access list "permit ip any any" to the inside interface (inward) will give you what you're looking to see.  I don't believe there is a need to change the security levels of the interfaces.
dannyrushtonAuthor Commented:
Excellent - Wasn't being suspicious of your intentions for the switch method of capture, I am a curious novice with the ASA and keen to learn as much as poss. Just to check then, the security level of the Inside interface (if set to 100) wouldn't override/take preference over a "permit ip any any" access list? I had a feeling it may bypass processing packets through an ACL if the security level of the i/f was higher than the destination i/f.
Thanks again for your input
it wouldn't have any adverse effects on the interface.  The access-list in this case is just processing all packets, since all packets will (at least should ) match the ACL.  On a cisco router, you'd be able to add a "log" action at the end of the acl and you'd be able to see all matched packets either on buffered log or remote syslog server.
Again, due to the fact that all packets will be matched, it might end up being easier to do the inspection through a sniffer.  It's up to you.  you know the rate and amount of traffic to expect.

hope this helps
dannyrushtonAuthor Commented:
Top Job - Many thanks
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now