https://community.cisco.com/t5/network-security/packet-capture-command-on-cisco-asa/m-p/3093379#M133320 <P>Hi Sam,</P> <P></P> <P>When traffic is outbound that is from inside:</P> <P></P> <P>packet-tracer input inside <G class="gr_ gr_89 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="89" data-gr-id="89">icmp</G>&nbsp;&lt;ip of inside host&gt; 8 0 &lt;ip of the outside host&gt; detailed</P> <P></P> <P>When traffic is inbound :</P> <P></P> <P>packet-tracer input outside <G class="gr_ gr_319 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" id="319" data-gr-id="319">tcp</G>&nbsp;&lt;any host from the outside&gt; &lt;random TCP Port&gt; &lt;mapped IP/NAT-IP&gt; &lt;port&gt; detailed</P> <P></P> <P>packet-tracer input outside <G class="gr_ gr_435 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="435" data-gr-id="435">tcp</G> 4.2.2.2 7878 2.2.2.2 443 detailed</P> <P></P> <P>So in the destination, you would typically use a NAT IP rather than the real IP.</P> <P></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> Mon, 14 Aug 2017 14:01:26 GMT Aditya Ganjoo 2017-08-14T14:01:26Z https://community.cisco.com/t5/network-security/packet-capture-command-on-cisco-asa/m-p/3093378#M133319 <P>Hello Experts,</P> <P></P> <P>Can you guys please explain me..what is the best way to put the packet capture command on Cisco ASA.</P> <P>1.When the traffic is going from inside to outside (which interface would be the best to capture the traffic)..?</P> <P>2.When the traffic is going coming from outside to inside(which interface would be the best to capture the traffic)..?</P> <P></P> <P>The only reason I'm getting confused is because we do have NAT configuration on ASA sometimes and this makes me scratch my head.</P> <P></P> <P>I would really appreciate if you guys can please explain me this.</P> <P></P> <P></P> <P>Thanks</P> <P>Sam</P> <P></P> Tue, 12 Mar 2019 09:49:15 GMT https://community.cisco.com/t5/network-security/packet-capture-command-on-cisco-asa/m-p/3093378#M133319 sambillings459 2019-03-12T09:49:15Z https://community.cisco.com/t5/network-security/packet-capture-command-on-cisco-asa/m-p/3093379#M133320 <P>Hi Sam,</P> <P></P> <P>When traffic is outbound that is from inside:</P> <P></P> <P>packet-tracer input inside <G class="gr_ gr_89 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="89" data-gr-id="89">icmp</G>&nbsp;&lt;ip of inside host&gt; 8 0 &lt;ip of the outside host&gt; detailed</P> <P></P> <P>When traffic is inbound :</P> <P></P> <P>packet-tracer input outside <G class="gr_ gr_319 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" id="319" data-gr-id="319">tcp</G>&nbsp;&lt;any host from the outside&gt; &lt;random TCP Port&gt; &lt;mapped IP/NAT-IP&gt; &lt;port&gt; detailed</P> <P></P> <P>packet-tracer input outside <G class="gr_ gr_435 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="435" data-gr-id="435">tcp</G> 4.2.2.2 7878 2.2.2.2 443 detailed</P> <P></P> <P>So in the destination, you would typically use a NAT IP rather than the real IP.</P> <P></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> Mon, 14 Aug 2017 14:01:26 GMT https://community.cisco.com/t5/network-security/packet-capture-command-on-cisco-asa/m-p/3093379#M133320 Aditya Ganjoo 2017-08-14T14:01:26Z https://community.cisco.com/t5/network-security/packet-capture-command-on-cisco-asa/m-p/3093380#M133321 <P>Hi Aditya,</P> <P></P> <P>Thank you for replying...</P> <P>Actually I'm looking for packet capture command for e.g.</P> <P>capture cap-in match tcp host 1.1.1.1 host 2.2.2.2 eq &nbsp;80</P> <P>Thanks</P> <P>Sam</P> Mon, 14 Aug 2017 16:07:28 GMT https://community.cisco.com/t5/network-security/packet-capture-command-on-cisco-asa/m-p/3093380#M133321 sambillings459 2017-08-14T16:07:28Z https://community.cisco.com/t5/network-security/packet-capture-command-on-cisco-asa/m-p/3093381#M133322 <P>Hi Sam,</P> <P></P> <P>My bad <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P></P> <P>If you need the packet capture for outbound traffic and inbound traffic you need to capture in both the directions:</P> <P></P> <P>Ingress capture:</P> <P></P> <P>capture <G class="gr_ gr_136 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" id="136" data-gr-id="136">capin</G> interface inside match <G class="gr_ gr_169 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling" id="169" data-gr-id="169">ip</G> host &lt;&gt; host &lt;&gt;</P> <P></P> <P>This match statement is bi-directional.</P> <P></P> <P>In case there is NAT then you need to make a slight change.</P> <P></P> <P>Let's say you have a dynamic NAT for internet access for inside users and traffic is not working:</P> <P>Something like this:</P> <P></P> <P>object-network obj-10.0.0.0</P> <P>subnet 10.0.0.0 255.255.255.0</P> <P>nat (inside,outside) dynamic 1.1.1.1</P> <P></P> <P>capture cap interface inside match <G class="gr_ gr_663 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" id="663" data-gr-id="663">tcp</G> host 10.0.0.1 host 4.2.2.2 eq 80</P> <P></P> <P>capture capo interface outside match <G class="gr_ gr_742 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" id="742" data-gr-id="742">tcp</G>&nbsp;host 1.1.1.1 host 4.2.2.2 eq 80</P> <P></P> <P>This would capture the traffic&nbsp;on both the interfaces and you would know&nbsp;in which direction the traffic is working or not.</P> <P></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> Mon, 14 Aug 2017 16:20:00 GMT https://community.cisco.com/t5/network-security/packet-capture-command-on-cisco-asa/m-p/3093381#M133322 Aditya Ganjoo 2017-08-14T16:20:00Z https://community.cisco.com/t5/network-security/packet-capture-command-on-cisco-asa/m-p/3093382#M133323 <P>Hi Aditya,</P> <P></P> <P>Thank you for replying.. really appreciate your effort&nbsp;</P> <P>can you please give me some good links to documents which would help me in understanding these things.</P> <P>Thanks again</P> <P></P> <P>Thanks</P> <P>Sam</P> Mon, 14 Aug 2017 17:08:52 GMT https://community.cisco.com/t5/network-security/packet-capture-command-on-cisco-asa/m-p/3093382#M133323 sambillings459 2017-08-14T17:08:52Z https://community.cisco.com/t5/network-security/packet-capture-command-on-cisco-asa/m-p/3093383#M133324 <P>Hi Sam,</P> <P></P> <P>Here are some links:</P> <P></P> <P>https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html</P> <P></P> <P>https://www.tunnelsup.com/packet-captures-on-cisco-asa/</P> <P></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> Tue, 15 Aug 2017 04:17:42 GMT https://community.cisco.com/t5/network-security/packet-capture-command-on-cisco-asa/m-p/3093383#M133324 Aditya Ganjoo 2017-08-15T04:17:42Z