topic Hi, in Network Security

Cisco ASA ASP-DROP

Mokhalil82 — Tue, 12 Mar 2019 07:29:56 GMT

I am trying to setup a capture using type asp-drop to capture dropped traffic between a internal network and an external network and I need to monitor the drop for 24hrs. I am using the commands

capture cap1 type asp-drop all

match ip source subnet des subnet

The capture just matches everything so does not filter down to the match statement.

What could I be doing wrong

Thanks

Hi,

Aditya Ganjoo — Wed, 16 Mar 2016 11:17:28 GMT

Hi,

It should only show you drops regarding to the matched subnets.

So what do you see except the defined subnets ?

Regards,

Aditya

Please rate helpful posts.

Hi

Mokhalil82 — Wed, 16 Mar 2016 11:34:11 GMT

It filters the asp-drop type, for example if i configure "capture cap1 type asp-drop acl-drop"

But displays results for all ip ranges (everthing) that is being dropped because of reason acl-drop, not just for the source and destination subnets what I have defined in the match statement.

Thanks

Hi,

Aditya Ganjoo — Wed, 16 Mar 2016 11:51:53 GMT

Hi,

Not sure but if I am doing it on my ASA I am able to filter it on the basis of subnet.

May I know what is the requirement ?

Regards,

Aditya

Please rate helpful posts.

We access an external service

Mokhalil82 — Wed, 16 Mar 2016 12:09:02 GMT

We access an external service which is based on 2 subnets, and some users have reported random freezes when using this external service. I just want to run a asp-drop from all internal subnets to the 2 external subnets and see if the firewalls are dropping anything.

I know the issue can be anywhere but just to ensure it is not the firewalls and to have some proof to say, ive got a capture running and it reports no drops, so the issue is elsewhere.

Thanks

Hi,

Aditya Ganjoo — Wed, 16 Mar 2016 12:44:23 GMT

Hi,

Then the idea of having asp drop captures filtered on the subnets make sense.

You would also be interested in the syslogs of the ASA at the time of the issue.

Also can you try filtering on the basis of host IP's and see if you still see the same behaviour.

Also, what ASA version are you running ?

Regards,

Aditya

Please rate helpful posts.

Thanks Aditya

Mokhalil82 — Wed, 16 Mar 2016 12:58:04 GMT

Thanks Aditya

I am running ASA version 9.1(6)6

I may check with TAC, as the

Mokhalil82 — Wed, 16 Mar 2016 12:59:07 GMT

I may check with TAC, as the configuration for the captures is not complex, but instead not giving the desired results

Hi,

Aditya Ganjoo — Wed, 16 Mar 2016 14:03:07 GMT

Hi,

Yes it would be a good idea to check with TAC but before that you can try filtering the captures on the basis of host IP's and test.

Regards,

Aditya

Please rate helpful posts.