https://community.cisco.com/t5/network-security/syslog-for-logging-all-packet-flow-from-dmz-to-inside/m-p/1787619#M494233 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>It would be the same as the others, but at the end you put the "headers-only" keywords at the end. The limitation again would be the buffer of the ASA for packet capturing. </P><P></P><P>Feel free to browse the following document, let me know if it works for you </P><P></P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-17814">https://supportforums.cisco.com/docs/DOC-17814</A></P><P></P><P>PS, I would still go for SPAN on the switch <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> </P><P></P><P>Mike</P></BODY></HTML> Thu, 03 Nov 2011 08:36:43 GMT Maykol Rojas 2011-11-03T08:36:43Z https://community.cisco.com/t5/network-security/syslog-for-logging-all-packet-flow-from-dmz-to-inside/m-p/1787616#M494220 <P>Hi, </P><P></P><P>I have been trying to figure out a way to log all packet flow originating from the DMZ segment to our Inside network. There are multiple ways I came across through which this could be achieved.</P><P></P><P>1) Through the ASDM packet capture wizard - Problem with this...I need the packet flow details covering 2 days. This cant be acheived through the wizard moreover it will increase the CPU utilization of the firewall.</P><P></P><P>2) Enabling Informational logging at the end of the ACE for DMZ to Inside - Problem....my syslog would not show any hits. Guess I need to enable Debugging mode but wont this increase the CPU?</P><P></P><P>Apart from the above methods is there a way to achieve my requirement without causing CPU hike?</P><P></P><P>Regards</P> Mon, 11 Mar 2019 21:45:26 GMT https://community.cisco.com/t5/network-security/syslog-for-logging-all-packet-flow-from-dmz-to-inside/m-p/1787616#M494220 Sundeep Dsouza 2019-03-11T21:45:26Z https://community.cisco.com/t5/network-security/syslog-for-logging-all-packet-flow-from-dmz-to-inside/m-p/1787617#M494224 <HTML><HEAD></HEAD><BODY><P>Hi. </P><P></P><P>I wouldnt recomment using the ASA to do this, if it is goin to be for two days. I bet that the ASA wont have that much buffer for that period of time (unless you only capture the headers only and not the payload) I think it would be better if you do it using SPAN on the switch port that connects to the ASA on the DMZ interface, connect a computer, run wireshark and leave it like that for two days. </P><P></P><P>The capture on the ASA is mainly to analyze specific types of connections. </P><P></P><P>Mike Rojas </P></BODY></HTML> Wed, 02 Nov 2011 23:11:25 GMT https://community.cisco.com/t5/network-security/syslog-for-logging-all-packet-flow-from-dmz-to-inside/m-p/1787617#M494224 Maykol Rojas 2011-11-02T23:11:25Z https://community.cisco.com/t5/network-security/syslog-for-logging-all-packet-flow-from-dmz-to-inside/m-p/1787618#M494229 <HTML><HEAD></HEAD><BODY><P>Hi Maykol,</P><P></P><P>Our main requirement is to check what ports are used from the DMZ to the Inside network. Once we gather that information we can restrict access using ACE. I guess the header information will suffice as it would provide me port information.</P><P>Can you suggest how I can capture packets containing header information?</P><P></P><P>Regards</P></BODY></HTML> Thu, 03 Nov 2011 08:24:23 GMT https://community.cisco.com/t5/network-security/syslog-for-logging-all-packet-flow-from-dmz-to-inside/m-p/1787618#M494229 Sundeep Dsouza 2011-11-03T08:24:23Z https://community.cisco.com/t5/network-security/syslog-for-logging-all-packet-flow-from-dmz-to-inside/m-p/1787619#M494233 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P></P><P>It would be the same as the others, but at the end you put the "headers-only" keywords at the end. The limitation again would be the buffer of the ASA for packet capturing. </P><P></P><P>Feel free to browse the following document, let me know if it works for you </P><P></P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-17814">https://supportforums.cisco.com/docs/DOC-17814</A></P><P></P><P>PS, I would still go for SPAN on the switch <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> </P><P></P><P>Mike</P></BODY></HTML> Thu, 03 Nov 2011 08:36:43 GMT https://community.cisco.com/t5/network-security/syslog-for-logging-all-packet-flow-from-dmz-to-inside/m-p/1787619#M494233 Maykol Rojas 2011-11-03T08:36:43Z