topic Re: CISCO ASA 5525 in Network Security

CISCO ASA 5525

ddesai — Mon, 10 Jul 2023 19:05:59 GMT

How will I verify that which policy is currently active for incoming traffic received from Dmz ?

I will need to move internal traffic which is coming from Dmz to another firewall.

Please advice

Re: CISCO ASA 5525

MHM Cisco World — Mon, 10 Jul 2023 19:13:05 GMT

best way is using packet tracer

see traffic which ACL hitting.

Re: CISCO ASA 5525

ddesai — Mon, 10 Jul 2023 19:17:30 GMT

Thanks for the update.

Can we check with heat count?

Can we check from any logs ?

Do I need to download packet tracert or is it inbuild in cisco ASA

I never use CISCO ASA so please guide me step by step that will be great help.

few applications pending to move from cisco ASA to new firewall so I am looking for which application still running in CISCO ASA

Re: CISCO ASA 5525

MHM Cisco World — Mon, 10 Jul 2023 19:22:57 GMT

https://community.cisco.com/t5/security-knowledge-base/troubleshooting-access-problems-using-packet-tracer/ta-p/3114976

Re: CISCO ASA 5525

Marius Gunnerud — Mon, 10 Jul 2023 21:28:31 GMT

you can see which rules are being hit in the access-list using either ASDM where you will see the hit count on the right of each rule, or using show access-list <access-list name> which will also show you a hit count for each rule.

Re: CISCO ASA 5525

ddesai — Mon, 10 Jul 2023 22:52:24 GMT

in Packet tracer which port mention as source port ?

destination port details i found from policy

Re: CISCO ASA 5525

ddesai — Mon, 10 Jul 2023 22:54:56 GMT

Can i get heat count latest date and time stamp to know when policy used last date and time?

Re: CISCO ASA 5525

ddesai — Mon, 10 Jul 2023 23:06:27 GMT

How i can find out interal traffic to DMZ policy details from cisco asa 5525 ?>

Re: CISCO ASA 5525

Aref Alsouqi — Tue, 11 Jul 2023 06:58:43 GMT

DMZ interfaces are usually set at 50 security level, but they could be with any security level between 0 and 100. If you do "sh nameif" you should see the interfaces names as well as their security levels. From there take the interfaces names that are configured with a security level between 0 and 100 and run some packet capture on them while you are generating some traffic and check if you get any output. You can run packet capture with the command "cap < name > interface < the interface name > match ip host < source IP > host < destination IP >. Regarding the ACL hits, they won't give any details about the date/time, if you want to get those details you would need to add "log" keyword at the end of the interested ACL entries and then look at the firewall logs, but it is not recommended as it would consume more resources on the device.

Re: CISCO ASA 5525

MHM Cisco World — Tue, 11 Jul 2023 08:49:58 GMT

again use packet tracer,
packet tracer input DMZ <subet in DMZ you want to check><subet in INside or OUTside> detail
this will give you exactly
1- NATing using
2- ACL using (INbound and OUTbound)

Re: CISCO ASA 5525

Marius Gunnerud — Tue, 11 Jul 2023 08:59:31 GMT

You will not get a time and date on the hitcount unfortunately. So what you could do is clear the counter and let it run a week or two to get an indication of what is being used.

To see which access-list is being used for which interface, if that is what you mean, you can issue the show running-config access-group which will give you the access-list name and the interface it is associated with

ASAt# show running-config access-group
access-group <access-list> in interface <interface name>

Re: CISCO ASA 5525

ddesai — Tue, 11 Jul 2023 15:39:18 GMT

Thanks, and appreciated your answer,

which option will clear heat counter?

Re: CISCO ASA 5525

ddesai — Tue, 11 Jul 2023 15:41:21 GMT

Please remember to select a correct answer and rate helpful posts - for sure will do Thanks for reminding me appreciated.

Re: CISCO ASA 5525

ddesai — Tue, 11 Jul 2023 15:43:15 GMT

Thanks, and appreciated your update but when i open packet tracer in firewall policy i could not find source port details rest of things i can find out so what port mention as a source port.

Re: CISCO ASA 5525

MHM Cisco World — Tue, 11 Jul 2023 15:55:17 GMT

You can use as port

12345 <<- randomly port number

Specific port number if you want to check server.

For example

Packet tracer input DMZ tcp 1.1.1.1 80 2.2.2.2 12345

Packet tracer input OUTside tcp 2.2.2.2 12345 1.1.1.1 80

Re: CISCO ASA 5525

ddesai — Tue, 11 Jul 2023 16:18:59 GMT

If I am adding source port as a random than it give me error.

Can I add for all in pakcet tracer souce port 80 or https ?

Destination port I have mentioned as per Cisco policy.

Re: CISCO ASA 5525

ddesai — Tue, 11 Jul 2023 17:25:12 GMT

In Cisco ASA ASDM login while I am taking backup manually it was asking for key what is key about ?

Re: CISCO ASA 5525

Aref Alsouqi — Tue, 11 Jul 2023 18:58:26 GMT

You can use the command "clear access-list < the access list name > counters".

Re: CISCO ASA 5525

Aref Alsouqi — Tue, 11 Jul 2023 19:19:04 GMT

Could you please share that screen? I think that key is the protection key that you would use in case you need to restore the config from that backup file.

Re: CISCO ASA 5525

Aref Alsouqi — Tue, 11 Jul 2023 19:20:38 GMT

When you run packet tracer you should have the traffic flow that you want to test in mind. You can put any port in the source or in the destination, but those ports should match the traffic flow that you are trying to simulate.