Solved: Is it possible to use the logging features on an ASA to detect outbound TLS 1.0 connections?

SHANE4252 · ‎08-09-2017

Just like the title says. Is there a packet capture or other type of logging we can do on the ASA firewalls to detect outgoing TLS 1.0 connections going through it? We may want to monitor for 24 hours or more. This is for auditing purposes.

Jonathan Unger · ‎08-14-2017

Hi Shane,

I am not aware of a method to perform this task on the ASA without doing some sort of packet capture. The ASA supports on-box packet capture, but since you would need to be capturing all traffic for long periods of time, this isn't very practical to do on-box (not enough buffer). Although if you are interested in attempting this method this post may be of use:
https://supportforums.cisco.com/document/29681/how-automate-getting-packet-captures-asa

You could also try using a SPAN session on the switch port that is connected to the inside interface of the ASA and mirror all of that traffic to a PC which is connected to another port on the switch. Once you have a PCAP of the traffic period you are interested in, you should be able to open it in Wireshark and use the following filter to detect the TLS V1.0 traffic "ssl.record.version==0x0301 && ssl.record.content_type=="Application Data".

The downside in trying to capture this much traffic is that you are probably going to end up with an giant PCAP file at the end of the 24 hour period (which you may not be able to open), unless the feed you are capturing uses morse code (then you can capture for as long as you want). The solution to this may be to configure Wireshark to create a new capture file every X amount of MB and parse through the data later in smaller chunks (preferably using a script of some kind).

Sorry this probably wasn't the answer you were looking for, but that is all I can think of at this time. Unless you bring in another tool set, like some sort of SSL proxy server which can man in the middle all of your clients behind the ASA.

Jon

View solution in original post

SHANE4252 · ‎08-14-2017

Any ideas folks? Even a "not possible" would be fine if that's the case.

Jonathan Unger · ‎08-14-2017

Hi Shane,

I am not aware of a method to perform this task on the ASA without doing some sort of packet capture. The ASA supports on-box packet capture, but since you would need to be capturing all traffic for long periods of time, this isn't very practical to do on-box (not enough buffer). Although if you are interested in attempting this method this post may be of use:
https://supportforums.cisco.com/document/29681/how-automate-getting-packet-captures-asa

You could also try using a SPAN session on the switch port that is connected to the inside interface of the ASA and mirror all of that traffic to a PC which is connected to another port on the switch. Once you have a PCAP of the traffic period you are interested in, you should be able to open it in Wireshark and use the following filter to detect the TLS V1.0 traffic "ssl.record.version==0x0301 && ssl.record.content_type=="Application Data".

The downside in trying to capture this much traffic is that you are probably going to end up with an giant PCAP file at the end of the 24 hour period (which you may not be able to open), unless the feed you are capturing uses morse code (then you can capture for as long as you want). The solution to this may be to configure Wireshark to create a new capture file every X amount of MB and parse through the data later in smaller chunks (preferably using a script of some kind).

Sorry this probably wasn't the answer you were looking for, but that is all I can think of at this time. Unless you bring in another tool set, like some sort of SSL proxy server which can man in the middle all of your clients behind the ASA.

Jon