We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

How do I set up a packet capture on the Inside interface of my ASA 5510

dannyrushton
dannyrushton asked
on
Medium Priority
483 Views
Last Modified: 2012-06-27
Hello all,
We have a recently installed ASA5510 - at present, only our internal internet access should be flowing through it. I have been monitoring traffic flow and noticed some strange bursts of activity on the inside and outside interface every hour.
I have set up a packet capture on the inside interface using the current access list that is on it:

access-list INSIDE_ACCESS_OUT extended permit tcp any eq www any
access-list INSIDE_ACCESS_OUT extended permit ip 192.168.99.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list INSIDE_ACCESS_OUT extended permit tcp any eq https any
access-list INSIDE_ACCESS_OUT extended permit icmp any any
access-list INSIDE_ACCESS_OUT extended permit icmp any any echo-reply
....
access-group INSIDE_ACCESS_OUT out interface Inside

This didn't quite do the biz as it only captured packets that matched the access list. What I would like to do is capture all traffic that flows In to the Inside interface so i can ascertain what IP is sending and receiving at odd hours of the day.

At the moment the security level of the interface allows all traffic to flow to the Outside interface without matching an access-list. To avoid this, and therefore capture all traffic, would I be able to do the following:
>Remove the INSIDE_ACCESS_OUT access-list from the Inside interface.
>Add an access list "Permit ip any any" to the inside interface (inward direction)  
>set the security level on the inside interface to 0
>Capture any packets that hit the "permit ip any any" access list.

Am I asking for trouble doing this, or does the "permit ip any any" access list provide the same functionality as the "secuirty-level 100" command on the interface?
Any suggestions would be greatly appreciated
Danny
Comment
Watch Question

It may be best to setup the capture on the switchport where your "inside" interface is connected to.  Once you figure out the traffic pattern, then you can construct the proper ACLs on the firewall.  Are you using a cisco switch internally by any chance?

if so, assuming FW - inside is on int gi0/1 and you have a sniffer on int gi0/2
do the following on switch -
conf t
monitor session 1 source int gi0/1 both
monitor session 1 destination int gi0/2
end
wr me

use ethereal to capture the traffic and perform your analysis then.
if you're using a non-cisco switch, but the switch is managed, you should still be able to setup the port mirroring.

Author

Commented:
Thanks for the reply ciscoml320 - We are using Cisco throughout the network, however the switch the ASA plugs into is a Catalyt4000 module with IOS 7.6(7) - will this magic work on the IOS version?
Danny

Author

Commented:
To add to the above...
Why do you suggest a capture on the switch would be better? I foresee leaving the packet capture on catching everything that passes through the inside i/f being a bit dodgy as it put a heavy demand on the ASA's memory. Being that I know what time of day each mystery burst of traffic happens (:50 minutes past each hour) would it be quicker and easier to set the capture running on the inside i/f of the ASA at xx:45pm and turn it off at xx:00pm?
Danny  
it is a matter of preference, also using an outside sniffer gives you more flexibility in capturing packets without worrying about filling up any buffers.
so, on the firewall
adding an access list "permit ip any any" to the inside interface (inward) will give you what you're looking to see.  I don't believe there is a need to change the security levels of the interfaces.

Author

Commented:
Excellent - Wasn't being suspicious of your intentions for the switch method of capture, I am a curious novice with the ASA and keen to learn as much as poss. Just to check then, the security level of the Inside interface (if set to 100) wouldn't override/take preference over a "permit ip any any" access list? I had a feeling it may bypass processing packets through an ACL if the security level of the i/f was higher than the destination i/f.
Thanks again for your input
Danny
it wouldn't have any adverse effects on the interface.  The access-list in this case is just processing all packets, since all packets will (at least should ) match the ACL.  On a cisco router, you'd be able to add a "log" action at the end of the acl and you'd be able to see all matched packets either on buffered log or remote syslog server.
Again, due to the fact that all packets will be matched, it might end up being easier to do the inspection through a sniffer.  It's up to you.  you know the rate and amount of traffic to expect.

hope this helps

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Top Job - Many thanks
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.