Solved

Monitoring Traffic on a Cisco ASA5505

Posted on 2009-05-20
16
4,333 Views
Last Modified: 2012-05-07
Hi,

A client on a site we recently took over has a Cisco ASA5505 as their gateway device. We have been provided with the login & enable passwords. I have some exposure to Cisco OS, but this has been mainly with routers and its just the basics that I know. (I attended a CCNA course but never actually sat the exam)

What I want to be able to do is monitor network traffic on the ASA, produce reports that will show me bandwidth usage etc, and preferably do this without spending money on software. I have read articles relating to NetFlow protocol, but from what I can determine the ASA device does not support NetFlow.

Can anybody help me? This is quite urgent
0
Comment
Question by:darraghcoffey
  • 7
  • 6
  • 3
16 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 300 total points
ID: 24432768
Correct, you can't use Netflow on the ASA but you can monitor overall bandwidth utilization if you enable SNMP on the ASA and use MRTG or Cacti to monitor the interface usage.  You can look into Fireplotter which will give you detailed information on the connections through the box (similar to Netflow) but at a cost (trial available I believe).
0
 

Author Comment

by:darraghcoffey
ID: 24432843
Ok, I'll have a look into this - thanks for pointing me in the right direction. I'll let you know how I get on
0
 
LVL 8

Expert Comment

by:akalbfell
ID: 24433297
you can also monitor overall bandwidth just by logging into the ASA via the ASDM.
there are a bunch of graphs you can pull up, below is the interface rate graph...this can show real time, 5, 10, 60 min, 1 day and 5 day intervals
as jfrederick said if you want to monitor by user you need to use netflow on a router
monitor.JPG
0
 

Author Comment

by:darraghcoffey
ID: 24433492
Mmmm

JFrederick29 - I've had a look at Fireplotter & information wise that is exactly what I need. However, I would need some way of storing historical data for a period of time, e.g. 24hrs, and exporting it for analysis.

I haven't looked at Cacti yet

akalbfell: Forgive me if this sounds stupid, but I am a relatively new to Cisco. Where would I get this software? Is there a setup guide to get the ASA to work effectivrly with this software?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24433533
Not sure on the historical aspect of Fireplotter but I would assume you can archive the data (I would hope).

Cacti will give you overall bandwidth utilization without the detail per flow.   ASDM is bundled with the ASA, you simply need to access it via HTTPS but Cacti will give you better historic trending.
0
 
LVL 8

Assisted Solution

by:akalbfell
akalbfell earned 200 total points
ID: 24433591
you should have the ASDM on the firewall already so it should be pretty easy

telnet into the device and give yourself http access using the command below
http x.x.x.x 255.255.255.255 <interface>

where x.x.x.x is your IP and the interface is the name, either outside or inside

the 255.255.255.255 means just the IP you type there can access it, nobody else

now just open up a browser and go to https://<ip of ASA>
you can run the ASDM right from there or download and install it

JFrederick is absolutely correct that the historical reporting when using another system is much better but if you just need to login and look at real time or a few days back its an easy solution.
0
 
LVL 8

Expert Comment

by:akalbfell
ID: 24433602
and just to clarify, the ASDM is a graphical interface to manage the ASA. If you are new with the device its a good place to start rather than jumping right into the CLI...IMO
0
 

Author Comment

by:darraghcoffey
ID: 24433785
Ok, I think we are starting to get somewhere now - many thanks to both of you for your help to date

I had tried to log into the ASA via the https interface before posting

I am being prompted for a user name and password

I wasn't sure if http server was enabled or not so I ran the following commands from the configuration menu
http server enable
http 1.2.3.4 255.255.255.255 inside (where 1.2.3.4 is server ip i initiate the https session from)

i am still presented with a username and password prompt. I have tried usernames admin, root & manager with both the CLI password and the enable password, but authentication always fails

I then created a user via CLI, and tried to login via https console using that new user. Authentication seems to be successful when I do this, but I am then present with a http 404 error page in my browser

Think we're getting close here - thanks again for all your help

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24433826
Can you post the following:

show run aaa

Did you use the privilege 15 option on the user you created?

username <user> password <password> privilege 15

The priv 15 is needed for admin access.
0
 

Author Comment

by:darraghcoffey
ID: 24434547
OK,

I hadn't enabled privilege on my new user - I've just done that but it hasn't made a difference - when I try to login via https it seems to auhenticate, I then get redirected to https://1.2.3.4/admin/index.html , and then get a http 404 error in my browser

When I type show run aaa, it just returns to the enable mode menu (routername#)
It seems its looking for other parameters - accounting, authentication, authorization, mac-exempt, proxy-limit

This is where I get stuck : )
0
 
LVL 8

Expert Comment

by:akalbfell
ID: 24434570
dont think the ASDM is on there. Can you do the command show disk0: and paste the output here just to confirm
0
 

Author Comment

by:darraghcoffey
ID: 24434732
routername> show disk0:
-#- --length-- -----date/time------ path
  6 8386560    Apr 26 2008 11:38:46 asa723-k8.bin
  7 4181246    Apr 26 2008 11:40:00 securedesktop-asa-3.2.1.103-k9.pkg
  8 398305     Apr 26 2008 11:40:20 sslclient-win-1.1.0.154.pkg
  9 7295568    Jun 10 2008 08:38:08 asdm-611.bin
 10 0          Apr 26 2008 11:43:16 crypto_archive
 13 14635008   Jun 10 2008 07:46:06 asa803-k8.bin
 14 0          Jun 10 2008 07:48:06 log
 24 5          Jun 10 2008 07:48:26 csco_config/locale/clean.8.0.done
 27 3224       Jun 10 2008 07:48:26 csco_config/locale/ja/LC_MESSAGES/customizat
ion.po
 28 4481       Jun 10 2008 07:48:26 csco_config/locale/ja/LC_MESSAGES/PortForwar
der.po
 29 32846      Jun 10 2008 07:48:26 csco_config/locale/ja/LC_MESSAGES/webvpn.po
 32 2430       Jun 10 2008 07:48:26 csco_config/locale/fr/LC_MESSAGES/customizat
ion.po
 33 4149       Jun 10 2008 07:48:26 csco_config/locale/fr/LC_MESSAGES/PortForwar
der.po
 34 30822      Jun 10 2008 07:48:26 csco_config/locale/fr/LC_MESSAGES/webvpn.po
 36 2864       Jun 16 2008 05:54:24 csco_config/locale/LC_MESSAGES/PortForwarder
.po
 37 18503      Jun 16 2008 05:54:24 csco_config/locale/LC_MESSAGES/webvpn.po
 38 896        Jun 16 2008 05:54:24 csco_config/locale/LC_MESSAGES/banners.po

91942912 bytes available (35168256 bytes used)

routername>
0
 
LVL 8

Expert Comment

by:akalbfell
ID: 24434867
Can you see if this line is in the config? prob be
asdm image disk0:/asdm-611.bin

if you dont see that enter it then do write mem and reboo the device and give it a try
0
 

Author Comment

by:darraghcoffey
ID: 24434921
The following lines are in the config (its slightly different to what you posted)
routername# show run
.
.
.
asdm image disk0:/flash@asdm-611.bin
no asdm history enable

.
.
.
.
0
 
LVL 8

Expert Comment

by:akalbfell
ID: 24434953
not sure if that is right, looks kind of odd to me

get rid of the command you have, put the one i typed and reboot then see if it works
0
 

Author Closing Comment

by:darraghcoffey
ID: 31596775
Hi Guys,

Sorry for the delay in getting back to you.

I've accepted both your solutions, but but split point 300/200 because I ended up using Fireplotter as the solution. Fireplotter sent me on the latest version of their software (V2 not V1.4 that was available  at the time) and V2 can record historical data.

I believe the asdm command supplied by akalbfell would have worked, but I didn't have the courage to mess with a production device not really knowing what I was doing. ; )
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Access List 2 18
Setup NAT/PAT question 3 40
BGP Network restrictions 6 18
Using VMWare Snapshot as Cisco UCM backup method 3 12
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now