Solved

Monitoring Traffic on a Cisco ASA5505

Posted on 2009-05-20
16
4,309 Views
Last Modified: 2012-05-07
Hi,

A client on a site we recently took over has a Cisco ASA5505 as their gateway device. We have been provided with the login & enable passwords. I have some exposure to Cisco OS, but this has been mainly with routers and its just the basics that I know. (I attended a CCNA course but never actually sat the exam)

What I want to be able to do is monitor network traffic on the ASA, produce reports that will show me bandwidth usage etc, and preferably do this without spending money on software. I have read articles relating to NetFlow protocol, but from what I can determine the ASA device does not support NetFlow.

Can anybody help me? This is quite urgent
0
Comment
Question by:darraghcoffey
  • 7
  • 6
  • 3
16 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 300 total points
ID: 24432768
Correct, you can't use Netflow on the ASA but you can monitor overall bandwidth utilization if you enable SNMP on the ASA and use MRTG or Cacti to monitor the interface usage.  You can look into Fireplotter which will give you detailed information on the connections through the box (similar to Netflow) but at a cost (trial available I believe).
0
 

Author Comment

by:darraghcoffey
ID: 24432843
Ok, I'll have a look into this - thanks for pointing me in the right direction. I'll let you know how I get on
0
 
LVL 8

Expert Comment

by:akalbfell
ID: 24433297
you can also monitor overall bandwidth just by logging into the ASA via the ASDM.
there are a bunch of graphs you can pull up, below is the interface rate graph...this can show real time, 5, 10, 60 min, 1 day and 5 day intervals
as jfrederick said if you want to monitor by user you need to use netflow on a router
monitor.JPG
0
 

Author Comment

by:darraghcoffey
ID: 24433492
Mmmm

JFrederick29 - I've had a look at Fireplotter & information wise that is exactly what I need. However, I would need some way of storing historical data for a period of time, e.g. 24hrs, and exporting it for analysis.

I haven't looked at Cacti yet

akalbfell: Forgive me if this sounds stupid, but I am a relatively new to Cisco. Where would I get this software? Is there a setup guide to get the ASA to work effectivrly with this software?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24433533
Not sure on the historical aspect of Fireplotter but I would assume you can archive the data (I would hope).

Cacti will give you overall bandwidth utilization without the detail per flow.   ASDM is bundled with the ASA, you simply need to access it via HTTPS but Cacti will give you better historic trending.
0
 
LVL 8

Assisted Solution

by:akalbfell
akalbfell earned 200 total points
ID: 24433591
you should have the ASDM on the firewall already so it should be pretty easy

telnet into the device and give yourself http access using the command below
http x.x.x.x 255.255.255.255 <interface>

where x.x.x.x is your IP and the interface is the name, either outside or inside

the 255.255.255.255 means just the IP you type there can access it, nobody else

now just open up a browser and go to https://<ip of ASA>
you can run the ASDM right from there or download and install it

JFrederick is absolutely correct that the historical reporting when using another system is much better but if you just need to login and look at real time or a few days back its an easy solution.
0
 
LVL 8

Expert Comment

by:akalbfell
ID: 24433602
and just to clarify, the ASDM is a graphical interface to manage the ASA. If you are new with the device its a good place to start rather than jumping right into the CLI...IMO
0
 

Author Comment

by:darraghcoffey
ID: 24433785
Ok, I think we are starting to get somewhere now - many thanks to both of you for your help to date

I had tried to log into the ASA via the https interface before posting

I am being prompted for a user name and password

I wasn't sure if http server was enabled or not so I ran the following commands from the configuration menu
http server enable
http 1.2.3.4 255.255.255.255 inside (where 1.2.3.4 is server ip i initiate the https session from)

i am still presented with a username and password prompt. I have tried usernames admin, root & manager with both the CLI password and the enable password, but authentication always fails

I then created a user via CLI, and tried to login via https console using that new user. Authentication seems to be successful when I do this, but I am then present with a http 404 error page in my browser

Think we're getting close here - thanks again for all your help

0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24433826
Can you post the following:

show run aaa

Did you use the privilege 15 option on the user you created?

username <user> password <password> privilege 15

The priv 15 is needed for admin access.
0
 

Author Comment

by:darraghcoffey
ID: 24434547
OK,

I hadn't enabled privilege on my new user - I've just done that but it hasn't made a difference - when I try to login via https it seems to auhenticate, I then get redirected to https://1.2.3.4/admin/index.html , and then get a http 404 error in my browser

When I type show run aaa, it just returns to the enable mode menu (routername#)
It seems its looking for other parameters - accounting, authentication, authorization, mac-exempt, proxy-limit

This is where I get stuck : )
0
 
LVL 8

Expert Comment

by:akalbfell
ID: 24434570
dont think the ASDM is on there. Can you do the command show disk0: and paste the output here just to confirm
0
 

Author Comment

by:darraghcoffey
ID: 24434732
routername> show disk0:
-#- --length-- -----date/time------ path
  6 8386560    Apr 26 2008 11:38:46 asa723-k8.bin
  7 4181246    Apr 26 2008 11:40:00 securedesktop-asa-3.2.1.103-k9.pkg
  8 398305     Apr 26 2008 11:40:20 sslclient-win-1.1.0.154.pkg
  9 7295568    Jun 10 2008 08:38:08 asdm-611.bin
 10 0          Apr 26 2008 11:43:16 crypto_archive
 13 14635008   Jun 10 2008 07:46:06 asa803-k8.bin
 14 0          Jun 10 2008 07:48:06 log
 24 5          Jun 10 2008 07:48:26 csco_config/locale/clean.8.0.done
 27 3224       Jun 10 2008 07:48:26 csco_config/locale/ja/LC_MESSAGES/customizat
ion.po
 28 4481       Jun 10 2008 07:48:26 csco_config/locale/ja/LC_MESSAGES/PortForwar
der.po
 29 32846      Jun 10 2008 07:48:26 csco_config/locale/ja/LC_MESSAGES/webvpn.po
 32 2430       Jun 10 2008 07:48:26 csco_config/locale/fr/LC_MESSAGES/customizat
ion.po
 33 4149       Jun 10 2008 07:48:26 csco_config/locale/fr/LC_MESSAGES/PortForwar
der.po
 34 30822      Jun 10 2008 07:48:26 csco_config/locale/fr/LC_MESSAGES/webvpn.po
 36 2864       Jun 16 2008 05:54:24 csco_config/locale/LC_MESSAGES/PortForwarder
.po
 37 18503      Jun 16 2008 05:54:24 csco_config/locale/LC_MESSAGES/webvpn.po
 38 896        Jun 16 2008 05:54:24 csco_config/locale/LC_MESSAGES/banners.po

91942912 bytes available (35168256 bytes used)

routername>
0
 
LVL 8

Expert Comment

by:akalbfell
ID: 24434867
Can you see if this line is in the config? prob be
asdm image disk0:/asdm-611.bin

if you dont see that enter it then do write mem and reboo the device and give it a try
0
 

Author Comment

by:darraghcoffey
ID: 24434921
The following lines are in the config (its slightly different to what you posted)
routername# show run
.
.
.
asdm image disk0:/flash@asdm-611.bin
no asdm history enable

.
.
.
.
0
 
LVL 8

Expert Comment

by:akalbfell
ID: 24434953
not sure if that is right, looks kind of odd to me

get rid of the command you have, put the one i typed and reboot then see if it works
0
 

Author Closing Comment

by:darraghcoffey
ID: 31596775
Hi Guys,

Sorry for the delay in getting back to you.

I've accepted both your solutions, but but split point 300/200 because I ended up using Fireplotter as the solution. Fireplotter sent me on the latest version of their software (V2 not V1.4 that was available  at the time) and V2 can record historical data.

I believe the asdm command supplied by akalbfell would have worked, but I didn't have the courage to mess with a production device not really knowing what I was doing. ; )
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Introduction Many times we come across a slowness or instability between two hosts, and almost always we blame the poor networking guys, just because they're an easy target.  Sometimes we forget that other factors including disk bottlenecks, CPU …
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now