topic Re: What goes where ??? in Network Security

What goes where ???

Thomas_Madsen — Tue, 12 Mar 2019 01:05:44 GMT

I've used cisco for some time now, and are realy happe with it, but there is one thing i need to get a hang of..

Traffic from one vlan going out to internet, and traffic comming back...

All i see is traffic comming from 1 ip out on internett going to my external ip on any given port.

Is there a way i can wee what inside ip address it's going against and what inside ip it's comming from ??

We have a asa5510 with aprox 8 vlan's on the inside and it would be nice to see what user is causing the internet traffic and why there are so many hit's on the firewall 🙂

Thnks for any help

Thomas

pst not to good on command, mainly used gui 🙂

What goes where ???

Jouni Forss — Tue, 26 Feb 2013 14:05:55 GMT

Hi,

I wasnt quite sure what this post was about until I checked the actual post

You could check the ASDM (GUI) to possibly view some top user information

Try if you can find the information with the following

Login to ASDM
Go to "Home" (unless already by default there)
Look for the "Firewall Dashboard" Tab above the section which tells your ASA software and other information
On the "Firewall Dashboard" section you might need to enable some settings (unless they already are)
- The section should enable you to gather information on "Top Usage" etc.
- To my understanding enabling this might increase the load on the ASA unit so take that possibility into account

Other than that I usually use the CLI and Syslogs to find who is causing alot of traffic.

Hope this helps

- Jouni

What goes where ???

Thomas_Madsen — Tue, 26 Feb 2013 14:12:10 GMT

that one is on ofcourse 🙂

What about traffic that's beeing stopped, is it possible to see where it was trying to go ??

like if one user starts up some torrent program, can i see where the traffice is trying to go so i can stop the download ?

If i just now all out of the blue have a massive traffic on my firewall, can i somehow check where the traffic is going ?

Re: What goes where ???

Jouni Forss — Tue, 26 Feb 2013 14:21:20 GMT

Hi,

I think there is probably no clean and easy way to do that on the ASA itself.

You would probably either have to just go through Syslogs on all the formed connections or track down hosts that have several active connections.

You could also parse the log messages on a Syslog server for all the "Deny" messages etc.

I usually do this through CLI.

Easiest way to find the basic torrent user is to monitor for a host with several high port UDP connections.

Then you can naturally take a packet capture from the ASA itself and see if there is Bittorrent traffic from the source hosts.

None of these are really a easy way to monitor traffic. I guess you would need something additional if you wanted to make the monitoring of traffic easier.

- Jouni

Re: What goes where ???

Thomas_Madsen — Tue, 26 Feb 2013 14:34:02 GMT

well i've used wireshark earlier and it's ok, but not sure how to capture what i need 🙂

Say i have and external 30.30.30.x ip net, and of thoose ip's i want to know traffic going to 30.30.30.10 on the outside and the gateway for the inside net i want to "inspect" is 192.10.0.1

what do i then do to check where the traffic hitting 30.30.30.10 ends up in 192.10.0.X nett 🙂

What i need to know is if it ends up at 192.10.0.123 or 192.10.0.19 🙂

Re: What goes where ???

Jouni Forss — Tue, 26 Feb 2013 14:47:15 GMT

Hi,

A basic packet capture configuration for ASA could look something like this

access-list TRAFFIC-CAPTURE permit ip 10.10.10.0 255.255.255.0 any

access-list TRAFFIC-CAPTURE permit ip any 10.10.10.0 255.255.255.0

capture TRAFFIC-CAPTURE type raw-data access-list TRAFFIC-CAPTURE interface inside buffer 33500000 circular-buffer

Where

TRAFFIC-CAPTURE = Is the ACL that defines the traffic to be captured. The above ACL captures both directions of the traffic when the source is 10.10.10.0/24 and destination is "any" (and vice versa naturally)
10.10.10.0/24 = Is an example LAN network located behind "inside" interface (or is the interface network)
inside = Is the interface from which the capture is taken from
33500000 = Is pretty close to the max buffer memory you can have on any ASA firewall for a single capture
- You can make separate capture for each direction and later attach the capture files using wireshark
circular-buffer = Is the setting that will permit the ASA to overwrite the old captured data when the buffer is full. Capture will keep on working but old data will be overwritten as new data is being captured.

Naturally the above ACL is VERY broad. You can change the capture to only capture one "host" traffic. Or only capture TCP or UDP traffic only. You can limit to some certain destination IP addresses. Just control as you like with the ACL.

To show if traffic is hitting the capture

show capture

To show a specific capture and its contents

show capture

To copy a capture to external TFTP server

To be later opened with Wireshark for example

copy /pcap capture: tftp://x.x.x.x/.pcap

To remove a capture from ASA

Also removes the collected data

no capture

Hopefully the above information has been helpfull. Please do rate if it has been and naturally ask more if needed.

- Jouni