https://community.cisco.com/t5/network-security/troubleshooting-the-asa-tip/m-p/1443746#M662338 <P>Troubleshooting the ASA tip:<BR />If you're like me, you perform MANY different tasks throughout the day.<BR />Many times, I am duplicating the same work at different times throughout the day.<BR />It takes a lot of time to figure out and setup a capture session each time I need to determine what is going through my firewall or getting blocked before it gets to my firewall. Finally I realized the same exact traffic flow capture filters were being configured, used and then deleted.<BR />I now have created permanent ACLs to assist troubleshooting the most common tasks.<BR />I perform a sh run, scroll down to the "cap" acl section, highlight syntax, copy and paste, done.</P><P></P><P><BR />Line 1 of each acl has the syntax to capture my most common data flows.<BR />Line 2 of each acl has the copy syntax to place the captured raw data onto the Wireshark traffic analyzer/TFTP server.</P><P></P><P>Hugh time saver!<BR />----<BR />---- Please note: Our firewall is under utilized (running at 2%), <BR />---- Performing a capture on your firewall must be deamed safe by&nbsp;&nbsp;&nbsp;&nbsp; YOU . . . BEFORE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; trying this else you could be looking for another job.<BR />---- Remember to terminate your capture when done - no capture #.</P><P></P><P>access-list cap-research line 1 REMARK capture 1 access-list cap-research int research real det<BR />access-list cap-research line 2 REMAKR copy /pcap capture:1 tftp<BR />!<BR />access-list cap-research line 3 extended deny ip host 10.99.4.1 host 10.99.4.2 <BR />access-list cap-research line 4 extended deny ip host 10.99.4.2 host 10.99.4.1<BR />access-list cap-research line 5 REMARK Ignore firewall-to-firewall keepalives<BR />!<BR />access-list cap-research line 6 extended permit ip any host 10.99.4.5<BR />access-list cap-research line 7 REMARK ingress packets on interface Research<BR />!<BR />access-list cap-research line 8 extended permit ip host 10.99.4.5 any <BR />access-list cap-research line 9 REMARK egress packets on interface Research</P><P></P><P>!################################# for clarity</P><P></P><P>access-list cap-eng line 1 REMARK capture 2 access-list cap-eng int eng real det<BR />access-list cap-eng line 2 REMARK copy /pcap capture:2 tftp<BR />!<BR />access-list cap-eng line 3 extended deny ip host 10.91.0.1 host 10.91.0.2 <BR />access-list cap-eng line 4 extended deny ip host 10.91.0.2 host 10.91.0.1<BR />access-list cap-eng line 5 REMARK Ignore firewall-to-firewall keepalives<BR />!<BR />access-list cap-eng line 6 extended permit TCP any host 10.91.0.33<BR />access-list cap-eng line 7 REMARK ingress packets on interface ENG<BR />!<BR />access-list cap-eng line 8 extended permit TCP host 10.91.0.33 any <BR />access-list cap-eng line 9 REMARK egress packets on interface ENG</P><P></P><P>!################################# for clarity</P><P></P><P>access-list cap-inventory line 1 REMARK capture 3 access-list cap-inventory int inventory real det<BR />access-list cap-inventory line 2 REMARK copy /pcap capture:3 tftp<BR />!<BR />access-list cap-inventory line 3 extended deny ip host 10.3.16.1 host 10.3.16.2 <BR />access-list cap-inventory line 4 extended deny ip host 10.3.16.2 host 10.3.16.1<BR />access-list cap-inventory line 5 REMARK Ignore firewall-to-firewall keepalives<BR />!<BR />access-list cap-inventory line 6 extended permit UDP any host 10.3.16.15<BR />access-list cap-inventory line 7 REMARK ingress packets on interface inventory<BR />!<BR />access-list cap-inventory line 8 extended permit UDP host 10.3.16.15 any <BR />access-list cap-inventory line 9 REMARK egress packets on interface inventory</P><P></P><P>Hope this helps</P><P>Frank</P> Mon, 11 Mar 2019 18:05:44 GMT fsebera 2019-03-11T18:05:44Z https://community.cisco.com/t5/network-security/troubleshooting-the-asa-tip/m-p/1443746#M662338 <P>Troubleshooting the ASA tip:<BR />If you're like me, you perform MANY different tasks throughout the day.<BR />Many times, I am duplicating the same work at different times throughout the day.<BR />It takes a lot of time to figure out and setup a capture session each time I need to determine what is going through my firewall or getting blocked before it gets to my firewall. Finally I realized the same exact traffic flow capture filters were being configured, used and then deleted.<BR />I now have created permanent ACLs to assist troubleshooting the most common tasks.<BR />I perform a sh run, scroll down to the "cap" acl section, highlight syntax, copy and paste, done.</P><P></P><P><BR />Line 1 of each acl has the syntax to capture my most common data flows.<BR />Line 2 of each acl has the copy syntax to place the captured raw data onto the Wireshark traffic analyzer/TFTP server.</P><P></P><P>Hugh time saver!<BR />----<BR />---- Please note: Our firewall is under utilized (running at 2%), <BR />---- Performing a capture on your firewall must be deamed safe by&nbsp;&nbsp;&nbsp;&nbsp; YOU . . . BEFORE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; trying this else you could be looking for another job.<BR />---- Remember to terminate your capture when done - no capture #.</P><P></P><P>access-list cap-research line 1 REMARK capture 1 access-list cap-research int research real det<BR />access-list cap-research line 2 REMAKR copy /pcap capture:1 tftp<BR />!<BR />access-list cap-research line 3 extended deny ip host 10.99.4.1 host 10.99.4.2 <BR />access-list cap-research line 4 extended deny ip host 10.99.4.2 host 10.99.4.1<BR />access-list cap-research line 5 REMARK Ignore firewall-to-firewall keepalives<BR />!<BR />access-list cap-research line 6 extended permit ip any host 10.99.4.5<BR />access-list cap-research line 7 REMARK ingress packets on interface Research<BR />!<BR />access-list cap-research line 8 extended permit ip host 10.99.4.5 any <BR />access-list cap-research line 9 REMARK egress packets on interface Research</P><P></P><P>!################################# for clarity</P><P></P><P>access-list cap-eng line 1 REMARK capture 2 access-list cap-eng int eng real det<BR />access-list cap-eng line 2 REMARK copy /pcap capture:2 tftp<BR />!<BR />access-list cap-eng line 3 extended deny ip host 10.91.0.1 host 10.91.0.2 <BR />access-list cap-eng line 4 extended deny ip host 10.91.0.2 host 10.91.0.1<BR />access-list cap-eng line 5 REMARK Ignore firewall-to-firewall keepalives<BR />!<BR />access-list cap-eng line 6 extended permit TCP any host 10.91.0.33<BR />access-list cap-eng line 7 REMARK ingress packets on interface ENG<BR />!<BR />access-list cap-eng line 8 extended permit TCP host 10.91.0.33 any <BR />access-list cap-eng line 9 REMARK egress packets on interface ENG</P><P></P><P>!################################# for clarity</P><P></P><P>access-list cap-inventory line 1 REMARK capture 3 access-list cap-inventory int inventory real det<BR />access-list cap-inventory line 2 REMARK copy /pcap capture:3 tftp<BR />!<BR />access-list cap-inventory line 3 extended deny ip host 10.3.16.1 host 10.3.16.2 <BR />access-list cap-inventory line 4 extended deny ip host 10.3.16.2 host 10.3.16.1<BR />access-list cap-inventory line 5 REMARK Ignore firewall-to-firewall keepalives<BR />!<BR />access-list cap-inventory line 6 extended permit UDP any host 10.3.16.15<BR />access-list cap-inventory line 7 REMARK ingress packets on interface inventory<BR />!<BR />access-list cap-inventory line 8 extended permit UDP host 10.3.16.15 any <BR />access-list cap-inventory line 9 REMARK egress packets on interface inventory</P><P></P><P>Hope this helps</P><P>Frank</P> Mon, 11 Mar 2019 18:05:44 GMT https://community.cisco.com/t5/network-security/troubleshooting-the-asa-tip/m-p/1443746#M662338 fsebera 2019-03-11T18:05:44Z https://community.cisco.com/t5/network-security/troubleshooting-the-asa-tip/m-p/1443747#M662349 <HTML><HEAD></HEAD><BODY><P>Frank,</P><P></P><P>That is a great tip!&nbsp; You are exactly right.&nbsp; One other item that makes this easier is the command:</P><P></P><P>show run access-list | inc cap</P><P></P><P>This will show all access-lists that are configured that include the word 'cap' - if you have alot of access-lists on your ASA, this one will also save some time and frustrations.&nbsp; The 'show run <X> | inc <Y>' command can be useful for <X> = static, nat, route, interface, etc.</X></Y></X></P><P></P><P>Please mark this thread as "answered" so others can know to reference it in the future!</P><P></P><P>Thanks again for the great tip! </P><P></P><P>Kevin</P></BODY></HTML> Wed, 30 Jun 2010 20:42:08 GMT https://community.cisco.com/t5/network-security/troubleshooting-the-asa-tip/m-p/1443747#M662349 Kevin Redmon 2010-06-30T20:42:08Z https://community.cisco.com/t5/network-security/troubleshooting-the-asa-tip/m-p/1443748#M662384 <HTML><HEAD></HEAD><BODY><P>Frank,</P><P></P><P>That is a great tip!&nbsp; You are exactly right.&nbsp; One other item that makes this easier is the command:</P><P></P><P>show run access-list | inc cap</P><P></P><P>This will show all access-lists that are configured that include the word 'cap' - if you have alot of access-lists on your ASA, this one will also save some time and frustrations.&nbsp; The 'show run <X> | inc <Y>' command can be useful for <X> = static, nat, route, interface, etc.</X></Y></X></P><P></P><P>Please mark this thread as "answered" so others can know to reference it in the future!</P><P></P><P>Thanks again for the great tip! </P><P></P><P>Kevin</P></BODY></HTML> Wed, 30 Jun 2010 20:42:12 GMT https://community.cisco.com/t5/network-security/troubleshooting-the-asa-tip/m-p/1443748#M662384 Kevin Redmon 2010-06-30T20:42:12Z