We have a recently installed ASA5510 - at present, only our internal internet access should be flowing through it. I have been monitoring traffic flow and noticed some strange bursts of activity on the inside and outside interface every hour.
I have set up a packet capture on the inside interface using the current access list that is on it:
access-list INSIDE_ACCESS_OUT extended permit tcp any eq www any
access-list INSIDE_ACCESS_OUT extended permit ip 192.168.99.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list INSIDE_ACCESS_OUT extended permit tcp any eq https any
access-list INSIDE_ACCESS_OUT extended permit icmp any any
access-list INSIDE_ACCESS_OUT extended permit icmp any any echo-reply
access-group INSIDE_ACCESS_OUT out interface Inside
This didn't quite do the biz as it only captured packets that matched the access list. What I would like to do is capture all traffic that flows In to the Inside interface so i can ascertain what IP is sending and receiving at odd hours of the day.
At the moment the security level of the interface allows all traffic to flow to the Outside interface without matching an access-list. To avoid this, and therefore capture all traffic, would I be able to do the following:
>Remove the INSIDE_ACCESS_OUT access-list from the Inside interface.
>Add an access list "Permit ip any any" to the inside interface (inward direction)
>set the security level on the inside interface to 0
>Capture any packets that hit the "permit ip any any" access list.
Am I asking for trouble doing this, or does the "permit ip any any" access list provide the same functionality as the "secuirty-level 100" command on the interface?
Any suggestions would be greatly appreciated