topic Re: Alternative of packet capture match access-list on Cisco FTD in Network Security

Alternative of packet capture match access-list on Cisco FTD

ojebbe — Thu, 11 Apr 2024 18:05:00 GMT

What would be the best way to capture traffic on a subnet (192.168.1.0/24) and excluding the capture for one of the IPs withing this subnet (192.168.1.1)

Reason is I want to run the capture for a couple of days and 192.168.1.1 will fill up the buffer immediately.

Since matching an ACL is no longer supported on Cisco FTD, I'm looking for an alternative way to do the following on FTD:

access-list TEST deny ip host 192.168.1.1 any

access-list TEST permit ip any any

Thanks,

capture cap match access-list TEST

capture cap interface outside

Re: Alternative of packet capture match access-list on Cisco FTD

MHM Cisco World — Thu, 11 Apr 2024 18:08:29 GMT

Capture Cap match IP host x.x.x.x

This what you can use

MHM

Re: Alternative of packet capture match access-list on Cisco FTD

ojebbe — Thu, 11 Apr 2024 18:10:15 GMT

What I'm looking for is to match the whole range (192.168.1.0/24) except for the IP address 192.168.1.1

Re: Alternative of packet capture match access-list on Cisco FTD

MHM Cisco World — Thu, 11 Apr 2024 18:19:10 GMT

Increase buffer or divide the subnet into parts and used each parts in capture I know it alot of work but it workaround at least.

MHM

Re: Alternative of packet capture match access-list on Cisco FTD

MHM Cisco World — Fri, 12 Apr 2024 08:57:47 GMT

Can check again

capture CAP interface XX ?

See what option you get

capture CAP interface xx match ?

See what option you get

MHM

Re: Alternative of packet capture match access-list on Cisco FTD

Marius Gunnerud — Sat, 13 Apr 2024 22:36:12 GMT

Unfortunately packet capture on the FTD does not allow for a range or ACL match, so omitting the 192.168.1.1 IP is not possible using this. The options you have are to set up SPAN / RSPAN on the uplink switch or (I have never tried this) do a tcpdump on the FTD in expert mode and filter on the required IP range. Not sure if the last would work as I have personally never tried it.

Re: Alternative of packet capture match access-list on Cisco FTD

MHM Cisco World — Sun, 14 Apr 2024 07:39:11 GMT

NO need that I check in my lab
FTD not like ASA support ACL in match there is no option to add ACL
so as I mention before divide the subnet to parts and match these parts in capture command

I use two match statement in same capture and it work as I want

MHM

Re: Alternative of packet capture match access-list on Cisco FTD

Marius Gunnerud — Sun, 14 Apr 2024 12:35:37 GMT

The poster wants to capture all traffic other than 192.168.1.1. Mean you would need to exclude that specific IP which is not possible. Creating specific statements for all hosts, i would assume, is not an option as it would take too much time depending on how many IPs are in the subnet. Subnetting the 192.168.1.0/24 subnet could be an option, but you would need to get very creative with that and spending time doing that might not be worth it. the best option and least time-consuming would be to set up SPAN / RSPAN on the switch port connecting to the FTD and then filter using an access list.

If you are already logging to a Syslog server then filtering on the traffic you want to inspect there might be an option if you are just looking for the connection events.

Re: Alternative of packet capture match access-list on Cisco FTD

MHM Cisco World — Sun, 14 Apr 2024 12:39:59 GMT

Friend my idea is following

10.0.0.0/24

Divide it to small subnet like

10.0.0.0/25'

And match subnet that not include IP he need to exclude.

I Know it need lot work but it workaround to limitations of ftd capture.

MHM

Re: Alternative of packet capture match access-list on Cisco FTD

Marius Gunnerud — Sun, 14 Apr 2024 12:52:19 GMT

I understand what you were suggesting, but the problem there is you will still include 192.168.1.1 in the capture with a /25 network. If you start subnetting at /30 you will exclude 1 -3 and you will also have an issue as you would need to do some very creative subnetting to match the remaining IPs in the /24 subnet. This is time consuming to do an possibly not worth it. Which is why a better solution is to do SPAN / RSPAN on the uplink switch.