Capture ACL for Cisco PIX 6.3

I'm trying to setup a capture on the inside interface of my PIX that grabs all traffic coming/leaving an IP adress except for DNS traffic. Can someone help me with this? This is what I currently have (which isn't working; DNS is still coming through)

access-list capture_southfld-server deny udp any any eq domain
access-list capture_southfld-server permit ip host 192.168.17.51 any
access-list capture_southfld-server permit ip any host 192.168.17.51
capture capture_southfld-server access-list capture_southfld-server interface inside
LVL 2
meade470Asked:
Who is Participating?
 
JFrederick29Connect With a Mentor Commented:
Yeah, that should work but since it's not, the easiest thing to do is when you open the capture in Ethereal or Wireshark, you can use the display filter to exclude the DNS traffic.
0
 
ricks_vCommented:
try this instead:

access-list capture_southfld-server deny udp any any eq 53
access-list capture_southfld-server deny tcp any any eq 53
access-list capture_southfld-server permit ip host 192.168.17.51 any
access-list capture_southfld-server permit ip any host 192.168.17.51
capture capture_southfld-server access-list capture_southfld-server interface inside

0
 
JFrederick29Commented:
You also need to deny DNS as the source which to deny the return traffic:

access-list capture_southfld-server deny udp any any eq 53
access-list capture_southfld-server deny udp any eq 53 any
access-list capture_southfld-server permit ip host 192.168.17.51 any
access-list capture_southfld-server permit ip any host 192.168.17.51
capture capture_southfld-server access-list capture_southfld-server interface inside
0
 
meade470Author Commented:
Thanks. This made sense to me but it didn't work. I'm still seeing DNS in the captures. We have a simple environment: switch --> router --> PIX --> internet. Not sure why this isn't working...
0
All Courses

From novice to tech pro — start learning today.