topic Re: capture traffic falling through to permit any any rule in Network Security

capture traffic falling through to permit any any rule

lcaruso — Mon, 11 Mar 2019 20:01:46 GMT

Hi,

I'm guessing there isn't a way to do this and hoping someone says I'm wrong. I need a way to capture traffic that falls through to the bottom of a given rule set which has a permit any any at the bottom so I can tell what rules implemented above would catch it.

For example, in converting a two PIX dmz to a single ASA dmz where documentation about rules and servers is non-existent or hard to gather, I simply copied the existing rules. Now, I'm looking at the hits with ASDM and seeing there are only a few rules being hit and everything else is falling through to permit any any which was the original policy. Now, I want to tighten the rule set without breaking anything I don't know about.

If I could capture the traffic hit the default allow rule, I'd learn everything I need to know. How can I do this?

Thanks.

Re: capture traffic falling through to permit any any rule

Maykol Rojas — Mon, 07 Mar 2011 04:06:29 GMT

Hi,

I think you can do an exact replica of your acl that is applied on the DMZ, but instead of permit just put denys...and then leave the permit any any, those denys should exclude the traffic to be captured and then you will see what is being hit by the permit ip any any.

Hope this helps.

Mike

Re: capture traffic falling through to permit any any rule

Pavel Pokorny — Mon, 07 Mar 2011 07:19:56 GMT

Hi,

Putting denny disrupts traffic, so this can be bad...

I recommend at the line where is allow any any, start logging what passes:

IE : access-list example line 9 extended permit ip x.x.x.x 255.255.255.0 any log 4 interval 300

Than you see in your syslog server, which box is trying to communicate, where and on which port.

You can, on that make permit rules and after week or two, there should be no traffic hitting this rule and you can set it to deny and swtich logging off.

HTH

Pavel

Re: capture traffic falling through to permit any any rule

Maykol Rojas — Mon, 07 Mar 2011 08:02:24 GMT

Hi Pavel,

Why would it disrupt traffic if it is only for packet capturing?

Mike

Re: capture traffic falling through to permit any any rule

Pavel Pokorny — Mon, 07 Mar 2011 10:00:42 GMT

Hi,

I don't know, if I understand well, but in your post : but instead of permit just put denys...and then leave the permit any any

This will first disrupt traffic, or not?

Maybe I understand this bad, so please explain your thoughs..

Pavel

Re: capture traffic falling through to permit any any rule

lcaruso — Tue, 08 Mar 2011 01:30:20 GMT

Hi Mike,

Thanks for your reply. I like your idea and will give that a try. Appreciate it.

Larry