dannyrushton
asked on
How do I set up a packet capture on the Inside interface of my ASA 5510
Hello all,
We have a recently installed ASA5510 - at present, only our internal internet access should be flowing through it. I have been monitoring traffic flow and noticed some strange bursts of activity on the inside and outside interface every hour.
I have set up a packet capture on the inside interface using the current access list that is on it:
access-list INSIDE_ACCESS_OUT extended permit tcp any eq www any
access-list INSIDE_ACCESS_OUT extended permit ip 192.168.99.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list INSIDE_ACCESS_OUT extended permit tcp any eq https any
access-list INSIDE_ACCESS_OUT extended permit icmp any any
access-list INSIDE_ACCESS_OUT extended permit icmp any any echo-reply
....
access-group INSIDE_ACCESS_OUT out interface Inside
This didn't quite do the biz as it only captured packets that matched the access list. What I would like to do is capture all traffic that flows In to the Inside interface so i can ascertain what IP is sending and receiving at odd hours of the day.
At the moment the security level of the interface allows all traffic to flow to the Outside interface without matching an access-list. To avoid this, and therefore capture all traffic, would I be able to do the following:
>Remove the INSIDE_ACCESS_OUT access-list from the Inside interface.
>Add an access list "Permit ip any any" to the inside interface (inward direction)
>set the security level on the inside interface to 0
>Capture any packets that hit the "permit ip any any" access list.
Am I asking for trouble doing this, or does the "permit ip any any" access list provide the same functionality as the "secuirty-level 100" command on the interface?
Any suggestions would be greatly appreciated
Danny
We have a recently installed ASA5510 - at present, only our internal internet access should be flowing through it. I have been monitoring traffic flow and noticed some strange bursts of activity on the inside and outside interface every hour.
I have set up a packet capture on the inside interface using the current access list that is on it:
access-list INSIDE_ACCESS_OUT extended permit tcp any eq www any
access-list INSIDE_ACCESS_OUT extended permit ip 192.168.99.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list INSIDE_ACCESS_OUT extended permit tcp any eq https any
access-list INSIDE_ACCESS_OUT extended permit icmp any any
access-list INSIDE_ACCESS_OUT extended permit icmp any any echo-reply
....
access-group INSIDE_ACCESS_OUT out interface Inside
This didn't quite do the biz as it only captured packets that matched the access list. What I would like to do is capture all traffic that flows In to the Inside interface so i can ascertain what IP is sending and receiving at odd hours of the day.
At the moment the security level of the interface allows all traffic to flow to the Outside interface without matching an access-list. To avoid this, and therefore capture all traffic, would I be able to do the following:
>Remove the INSIDE_ACCESS_OUT access-list from the Inside interface.
>Add an access list "Permit ip any any" to the inside interface (inward direction)
>set the security level on the inside interface to 0
>Capture any packets that hit the "permit ip any any" access list.
Am I asking for trouble doing this, or does the "permit ip any any" access list provide the same functionality as the "secuirty-level 100" command on the interface?
Any suggestions would be greatly appreciated
Danny
ASKER
Thanks for the reply ciscoml320 - We are using Cisco throughout the network, however the switch the ASA plugs into is a Catalyt4000 module with IOS 7.6(7) - will this magic work on the IOS version?
Danny
Danny
ASKER
To add to the above...
Why do you suggest a capture on the switch would be better? I foresee leaving the packet capture on catching everything that passes through the inside i/f being a bit dodgy as it put a heavy demand on the ASA's memory. Being that I know what time of day each mystery burst of traffic happens (:50 minutes past each hour) would it be quicker and easier to set the capture running on the inside i/f of the ASA at xx:45pm and turn it off at xx:00pm?
Danny
Why do you suggest a capture on the switch would be better? I foresee leaving the packet capture on catching everything that passes through the inside i/f being a bit dodgy as it put a heavy demand on the ASA's memory. Being that I know what time of day each mystery burst of traffic happens (:50 minutes past each hour) would it be quicker and easier to set the capture running on the inside i/f of the ASA at xx:45pm and turn it off at xx:00pm?
Danny
it is a matter of preference, also using an outside sniffer gives you more flexibility in capturing packets without worrying about filling up any buffers.
so, on the firewall
adding an access list "permit ip any any" to the inside interface (inward) will give you what you're looking to see. I don't believe there is a need to change the security levels of the interfaces.
so, on the firewall
adding an access list "permit ip any any" to the inside interface (inward) will give you what you're looking to see. I don't believe there is a need to change the security levels of the interfaces.
ASKER
Excellent - Wasn't being suspicious of your intentions for the switch method of capture, I am a curious novice with the ASA and keen to learn as much as poss. Just to check then, the security level of the Inside interface (if set to 100) wouldn't override/take preference over a "permit ip any any" access list? I had a feeling it may bypass processing packets through an ACL if the security level of the i/f was higher than the destination i/f.
Thanks again for your input
Danny
Thanks again for your input
Danny
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Top Job - Many thanks
if so, assuming FW - inside is on int gi0/1 and you have a sniffer on int gi0/2
do the following on switch -
conf t
monitor session 1 source int gi0/1 both
monitor session 1 destination int gi0/2
end
wr me
use ethereal to capture the traffic and perform your analysis then.
if you're using a non-cisco switch, but the switch is managed, you should still be able to setup the port mirroring.