Sure.  Here is the ACL

access-list capin extended permit ip host 10.7.1.175 any

access-list capin extended permit ip host 10.7.1.176 any

access-list capin extended permit ip any host 10.7.1.176

access-list capin extended permit ip any host 10.7.1.175

Here is the capture config I'm trying to enter with error.

FW01# capture capin access-list capin interface Inside

ERROR: Capture doesn't support access-list containing mixed policies

FW01#

I've even tried to reduce the lines in the ACL to a single ACE. No joy.

I can assume that this means that you should put in capture ACL only lines, indicating one direction of traffic. So ASA will automatically capture reply packets based on that. In your case probably it worth just leave first two entries.

Plus, u can use capture without using ACLs at all:

ASA(config)# capture CAPTURE match ip host 10.7.1.175 any

ASA(config)# capture CAPTURE match ip host 10.7.1.176 any

It'll capture traffic in both directions.

I found out late last night from TAC that the error I posted is because the ANY keyword is referencing ipv4 and ipv6. The ACL syntax should read ANY4 to specify ipv4 only in my case. I'll test this later today. Thanks Andrew. You are correct but your post didn't explain why I was receiving the error I was getting.

Sent from Cisco Technical Support iPhone App

Ran into this exact issue, and switching to ANY4 resolved it.

Thanks for posting!

had the same problem ! solved using any4, rather then any

thx!

Hello you all,

Let me explain you the behavior you are seeing:

As you might know after 7.0(1) the ASA supports IPv6 addresses on their interfaces, so what happens if we want to filter IPv6 traffic with ACL's.

Well we need it to create an ACL with the IPv6 keyword at the beginning.. Such as:

    ipv6 access-list Inside_Out permit tcp any host 2001:AAAA::2 eq 80

This means that we had to apply 2 access-groups on an interface if we have both IPv4 and IPv6 addresses and we want to filter traffic.

But here comes the change

After 9.0(1) the ACL structure supports IPv6 ( Hexadecimal notation ) and IPv4 ( Decimal notation ) on the same ACL, so we can still using just one ACL and just one access-group  Pretty cool ah??

So that's is why we need to specify on the ACL whether we are going to permit all IPv6 and IPv6 traffic ( ANY) or just IPv6 traffic (Any6) or Just IPv4 traffic (Any4),

Now regarding captures if we use an ACL we must set the Any4 or Any6, The captures after this version 9.0(1) does not support the use of the ANY as it will match both IPv4 and IPv6 at the same time and that is not supported YET

I am thinking about providing a seminar regarding IPv6 and the ASA but I am just waiting for the techonolgy to keep growing and growing so we can have more people attending to that

Anyway if someone else have any question, doubt just let me know,

Hope that I could explain this a little better so you guys have this clear now,

If any of you do not have any questions please mark it as answered and remember to rate all of the helpful posts ( Inluding this one lol )

Regards

Julio Carvajal

Advanced Security Trainer