topic Re: Cisco ASA packet capture in Network Security

Cisco ASA packet capture

vsurresh — Mon, 22 Feb 2021 14:16:39 GMT

Hello.

Is there a way to capture traffic sourced from the ASA itself? For example, how can I capture ICMP unreachable message being sent from the ASA to the Internet?

ASA-------OUTISDE-INTERFACE---------INTERNET

Which ingress interface should I choose while setting up the capture?

EDIT - I tried the below but it didn't work

asa#capture test match icmp any host 93.184.216.34

asat# ping 93.184.216.34
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 93.184.216.34, timeout is 2 seconds:
!!!!!

asat# show capture
capture testtype raw-data [Capturing - 0 bytes]
match icmp any host 93.184.216.34

Thanks

Re: Cisco ASA packet capture

Sheraz.Salim — Mon, 22 Feb 2021 14:34:36 GMT

Is there a way to capture traffic sourced from the ASA itself? For example, how can I capture ICMP unreachable message being sent from the ASA to the Internet?

ASA-------OUTISDE-INTERFACE---------INTERNET

Which ingress interface should I choose while setting up the capture?

caputer ASP type asp-drop

show capture ASP

show asp drop

capture ICMP interface outside match icmp host x.x.x.x.x any (Where x.x.x.x is your public outside ip address).

capture ICMP interface outside match icmp host x.x.x.x.x any (Where x.x.x.x is your public outside ip address). 74: 14:25:54.551241 81.201.117.87 > mypublicip icmp: net 3.3.3.10 unreachable 75: 14:25:54.551347 81.201.117.83 > mypublicip icmp: net 3.3.3.2 unreachable 76: 14:25:54.555757 81.201.117.83 > mypublicip icmp: net 3.3.3.20 unreachable 77: 14:25:54.555909 81.201.117.87 > mypublicip icmp: net 3.3.3.10 unreachable 78: 14:25:54.559541 81.201.117.87 > mypublicip icmp: net 3.3.3.2 unreachable 79: 14:25:54.559617 81.201.117.83 > mypublicip icmp: net 3.3.3.20 unreachable 80: 14:25:54.566407 81.201.117.87 > mypublicip icmp: net 3.3.3.10 unreachable

Re: Cisco ASA packet capture

vsurresh — Mon, 22 Feb 2021 15:22:43 GMT

That worked, thank you