topic Re: Capture with ASA 9.0.1 in Network Security

Capture with ASA 9.0.1

keith.holder — Tue, 12 Mar 2019 00:35:35 GMT

Hello all. I recently upgraded my 5520 to 9.0.1 IOS. Today I tried to apply a capture to my inside interface referencing a simple ACL and I get this error.

ERROR: Capture doesn't support access-list <capin> containing mixed policies

I also created a capture for the outside interface with a similar ACL and it worked just fine. I can't seem to find anything on the web that gives me a clue to resolving the error above. Any help would be appreciated.

Capture with ASA 9.0.1

Jouni Forss — Mon, 10 Dec 2012 22:29:36 GMT

Hi,

Can you share the capture configuration for the capture that is not working

- Jouni

Capture with ASA 9.0.1

keith.holder — Mon, 10 Dec 2012 23:04:34 GMT

Sure. Here is the ACL

access-list capin extended permit ip host 10.7.1.175 any

access-list capin extended permit ip host 10.7.1.176 any

access-list capin extended permit ip any host 10.7.1.176

access-list capin extended permit ip any host 10.7.1.175

Here is the capture config I'm trying to enter with error.

FW01# capture capin access-list capin interface Inside

ERROR: Capture doesn't support access-list containing mixed policies

FW01#

I've even tried to reduce the lines in the ACL to a single ACE. No joy.

Capture with ASA 9.0.1

Andrew Phirsov — Tue, 11 Dec 2012 12:31:31 GMT

I can assume that this means that you should put in capture ACL only lines, indicating one direction of traffic. So ASA will automatically capture reply packets based on that. In your case probably it worth just leave first two entries.

Plus, u can use capture without using ACLs at all:

ASA(config)# capture CAPTURE match ip host 10.7.1.175 any

ASA(config)# capture CAPTURE match ip host 10.7.1.176 any

It'll capture traffic in both directions.

Re: Capture with ASA 9.0.1

keith.holder — Tue, 11 Dec 2012 12:57:50 GMT

I found out late last night from TAC that the error I posted is because the ANY keyword is referencing ipv4 and ipv6. The ACL syntax should read ANY4 to specify ipv4 only in my case. I'll test this later today. Thanks Andrew. You are correct but your post didn't explain why I was receiving the error I was getting.

Sent from Cisco Technical Support iPhone App

Capture with ASA 9.0.1

seanmcgartland — Tue, 11 Dec 2012 19:38:57 GMT

Ran into this exact issue, and switching to ANY4 resolved it.

Thanks for posting!

Capture with ASA 9.0.1

plambrecht — Sat, 30 Mar 2013 11:08:22 GMT

had the same problem ! solved using any4, rather then any

thx!

Capture with ASA 9.0.1

Julio Carvajal — Sat, 30 Mar 2013 19:54:52 GMT

Hello you all,

Let me explain you the behavior you are seeing:

As you might know after 7.0(1) the ASA supports IPv6 addresses on their interfaces, so what happens if we want to filter IPv6 traffic with ACL's.

Well we need it to create an ACL with the IPv6 keyword at the beginning.. Such as:

ipv6 access-list Inside_Out permit tcp any host 2001:AAAA::2 eq 80

This means that we had to apply 2 access-groups on an interface if we have both IPv4 and IPv6 addresses and we want to filter traffic.

But here comes the change

After 9.0(1) the ACL structure supports IPv6 ( Hexadecimal notation ) and IPv4 ( Decimal notation ) on the same ACL, so we can still using just one ACL and just one access-group Pretty cool ah??

So that's is why we need to specify on the ACL whether we are going to permit all IPv6 and IPv6 traffic ( ANY) or just IPv6 traffic (Any6) or Just IPv4 traffic (Any4),

Now regarding captures if we use an ACL we must set the Any4 or Any6, The captures after this version 9.0(1) does not support the use of the ANY as it will match both IPv4 and IPv6 at the same time and that is not supported YET

I am thinking about providing a seminar regarding IPv6 and the ASA but I am just waiting for the techonolgy to keep growing and growing so we can have more people attending to that

Anyway if someone else have any question, doubt just let me know,

Hope that I could explain this a little better so you guys have this clear now,

If any of you do not have any questions please mark it as answered and remember to rate all of the helpful posts ( Inluding this one lol )

Regards

Julio Carvajal

Advanced Security Trainer

Capture with ASA 9.0.1

fcmartinez — Fri, 20 Sep 2013 21:56:42 GMT

Hi Security gurus

i ran into same issue and corrected using any4

configure mode commands/options:

A.B.C.D Source IP address

X:X:X:X::X/<0-128> Source IPv6 address/prefix

any Abbreviation for source address/mask of

0.0.0.0/0.0.0.0 OR source prefix ::/0

any4 Abbreviation of source address and mask of 0.0.0.0

0.0.0.0

any6 Abbreviation for source prefix ::/0

As Julio Carvajal said we cannot mix them as ASA need to know which ipv4 or ipv6 to check

Capture with ASA 9.0.1

GLRezabek_2 — Mon, 10 Feb 2014 20:53:04 GMT

Per Cisco:

After release 9.0(1) and higher the ACL structure supports IPv6 ( Hexadecimal notation ) and IPv4

( Decimal notation ) on the same ACL. Regarding captures if we use an ACL we must set the any4 or any6 keyword, The captures after this version 9.0(1) do not support the use of the ANY as it will match both IPv4 and IPv6 at the same time and that is not supported as of yet.

New capture examples:

-----------------------------------------------------------------------------------

<< Inside Interface >>

access-list 191 line 1 extended permit tcp host xxx.xxx.xxx.xxx any4

access-list 191 line 1 extended permit tcp any4 host xxx.xxx.xxx.xxx

capture capin access-list 191 interface inside packet-length 1513

capture capin

capture capin type raw-data

-----------------------------------------------------------------------------------

<< Outside Interface >>

access-list 192 line 1 extended permit tcp host xxx.xxx.xxx.xxx any4

access-list 192 line 1 extended permit tcp any4 host xxx.xxx.xxx.xxx

capture capout access-list 192 interface outside packet-length 1513

capture capout

capture capout type raw-data

-----------------------------------------------------------------------------------