cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2626
Views
0
Helpful
6
Replies

Need to get traffic log from Cisco pix 501

newonenewone88
Level 1
Level 1

Hi,

      I'm trying to help a small non profit company with an issue they are having.

They have an old cisco pix 501 firewall. I can access it via the device manager interface from my browser.

What they want is to be able to get all the traffic from the firewall to the internet and vis versa. They want to know the originating nat IP address and the destination from the inside interface.

I looked at the console and I can't find away to capture any traffic from either interface.

Can someone point me to the right direction?

Thanks

6 Replies 6

Shrikant Sundaresh
Cisco Employee
Cisco Employee

Hi Andy,

If you have command line access to the device, you can perform a capture in the following way (v 6.2 and above)

access-list acl1 permit tcp any eq http any


access-list acl1 permit tcp any any eq http

capture caphttp access-list acl1 packet-length 74 interface outside buffer 

This will help capture the first 74 bytes of each packet that is either destined to port 80 or a reply from port 80.


"show capture caphttp" will display the packet headers captured.

However, there will be a lot of web-traffic and the buffer (by default 512 kb) might get overrun really fast.

I hope this helps.

-Shrikant

P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.


Shrikant,
                 Thank you for the help.
I have command line access. Is there anyway to capyure this in a file and not the buffer? I don't want to bring down the firewall.
Thanks

Hi Andy,

The capture process does not generally consume a lot of cpu. It only uses up some of the memory being used to store the capture.

This capture can be downloaded from the buffer to a file.

https:///capture//pcap

But i think the only way to capture all files continuously would be to have a setup like this: (slightly complicated option)

Internet ------------- Switch/Hub --------------- PIX -------------- Inside

And connect a computer to the switch/hub and run wireshark or a similar packet sniffing tool on it.

If it is a switch, then you would have to span the port connected to the PIX. A Hub would always broadcast and thus traffic would be seen on the computer as well.

Please let me know if this helps.

-Shrikant

Thank you again, I really appreciate it.

I don't have any managed switched to SPAN the port of the pix.

I might have a hub somewhere.

So when I use wireshark, I just capture the traffic from the laptop connected to the switch?

If you can explain this in more detail, that would be great.

Thanks

Hi Andy,

If you use a hub, any packet that enters the hub from the PIX wire, is sent to both the internet wire and the PC wire.

Similarly, traffic coming from the internet wire, will be sent to both the PIX wire and the PC wire.

The PC, when it has wireshark running on it, would be able to see these packets, and you would be able to analyze the capture to see what traffic is present.

However, I wouldn't recommend having this as a permanent or long-term setup, but just for periodic logging.

I hope this helps. Feel free to post any further queries you may have.

-Shrikant

PS: Please mark the question resolved, if you feel it has been answered. Do rate helpful posts.

Shrikant, thanks again for the help, I really appreciate it.

So if I have a managed switch, all I need is to mirror the port (#1) that is connected to the pix to another port (#2) and have a laptop running wireshark connected to the mirrored port (# 2), right?

This will give me all the packets sent from the LAN to the firewall and then from the firewall to the internet. right?

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: