Capture SSH management traffic

Florin Barhala — Tue, 12 Mar 2019 05:12:47 GMT

Hi guys,

I have one ASA 5505 running 8.4(2) with two interfaces:

5505# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan2 outside 80.82.x.y 255.255.255.252 CONFIG
Vlan600 inside 172.16.3.82 255.255.255.248 CONFIG

I setup the following captures:

5505# show capture
capture cap1 type raw-data access-list capture1 interface inside [Capturing - 0 bytes]
capture cap2 type raw-data access-list capture2 interface inside [Buffer Full - 523244 bytes]
5505# sa capture1
access-list capture1; 2 elements; name hash: 0xb807b4ac
access-list capture1 line 1 extended permit tcp host 172.16.3.82 eq ssh any (hitcnt=0) 0xa74cb20f
access-list capture1 line 2 extended permit tcp any host 172.16.3.82 eq ssh (hitcnt=0) 0xf1cc97fd
5505# sa capture2
access-list capture2; 2 elements; name hash: 0xdd27d678
access-list capture2 line 1 extended permit tcp any any eq ssh (hitcnt=30281) 0x0bd72029
access-list capture2 line 2 extended permit tcp any eq ssh any (hitcnt=32538) 0xdd9e7e84

Trouble is I can't see/catch anything on either of the two capture when I SSH on the inside interface from a site-to-site VPN being done with another ASA.

5505# show ssh sessions

SID Client IP Version Mode Encryption Hmac State Username
0 172.17.120.170 2.0 IN aes256-cbc sha1 SessionStarted florinb
OUT aes256-cbc sha1 SessionStarted florinb

5505# show run management-access
management-access inside

Any suggestion for this issue?

Thanks in advance!

P.S. I configured cap1 on the 2nd ASA (that participates on the VPN tunnel) and here I can see traffic passing through the tunnel toward 5505 ASA:

ASA_VPN_endpoint# show capture cap1

75 packets captured

1: 15:23:23.821872 172.17.120.170.54313 > 172.16.3.82.22: S 1673956627:1673956627(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
2: 15:23:23.869446 172.16.3.82.22 > 172.17.120.170.54313: S 137067347:137067347(0) ack 1673956628 win 8192 <mss 1380>

Hi,I don't think you would be

Vibhor Amrodia — Fri, 12 Dec 2014 09:44:15 GMT

Hi,

I don't think you would be able to capture anything on the Outside Interface on the ASA 5505 to which the tunnel is terminating as this is encrypted.

Also , what did you see in the any any captures ?

Thanks and Regards,

Vibhor Amrodia

Hi mate,Both captures I

Florin Barhala — Fri, 12 Dec 2014 11:56:20 GMT

Hi mate,

Both captures I attend are on the inside interface.

Ok, so capture was not

Florin Barhala — Fri, 12 Dec 2014 18:08:55 GMT

Ok, so capture was not working because of the VPN scenario. It is well known that any VPN traffic ends on the outside interface and the same here.

ASA capture will not work/show anything if traffic ends on an interface different the one configured in the command.

topic Ok, so capture was not in Network Security

Capture SSH management traffic

Hi,I don't think you would be

Hi mate,Both captures I

Ok, so capture was not