Cisco ASA firewall has a very useful traffic capturing feature. Captured traffic that goes through firewall can be saved in pcap files that later can be downloaded, viewed and analysed in most of live capturing programs liketcpdump or wireshark.
To capture network packets on ASA, first define an access-list that marks intresting traffic. In this example we'll define acl that will capture all icmp traffic designated to internal host 192.168.1.1:
<![CDATA[ ASA1(config)#access-list inside_test permit icmp any host 192.168.1.1
]]>
Next, we use capture command after which folows name of capture and access-list with interesting traffic, following the name of an interface on which we "sniff" , which captures traffic:
<![CDATA[ ASA1(config)#capture inside_interface access-list inside_test interface inside
]]>
To see captured traffic hit the show capture command with the name of capture:
<![CDATA[ ASA1#show capture inside_interface
10 packets captured
1: 01:49:24.087474 10.20.10.2 > 192.168.1.1: icmp: echo request
2: 01:49:24.087474 192.168.1.1 > 10.20.10.2: icmp: echo reply
3: 01:49:24.087474 10.20.10.2 > 192.168.1.1: icmp: echo request
4: 01:49:24.087474 192.168.1.1 > 10.20.10.2: icmp: echo reply
5: 01:49:24.087474 10.20.10.2 > 192.168.1.1: icmp: echo request
6: 01:49:24.087474 192.168.1.1 > 10.20.10.2: icmp: echo reply
7: 01:49:24.087474 10.20.10.2 > 192.168.1.1: icmp: echo request
8: 01:49:24.087474 192.168.1.1 > 10.20.10.2: icmp: echo reply
9: 01:49:24.087474 10.20.10.2 > 192.168.1.1: icmp: echo request
10: 01:49:24.087474 192.168.1.1 > 10.20.10.2: icmp: echo reply
10 packets shown
]]>
(Captured file can also be viewed directly on ASA via http link http://ip_of_firewall/capture/inside_interface/pcap.) Deleting captured files:
<![CDATA[ ASA1# no capture inside_interface
]]>
Comments
Post a Comment