I'm trying to help a small non profit company with an issue they are having.
They have an old cisco pix 501 firewall. I can access it via the device manager interface from my browser.
What they want is to be able to get all the traffic from the firewall to the internet and vis versa. They want to know the originating nat IP address and the destination from the inside interface.
I looked at the console and I can't find away to capture any traffic from either interface.
Can someone point me to the right direction?
If you have command line access to the device, you can perform a capture in the following way (v 6.2 and above)
access-list acl1 permit tcp any eq http any
access-list acl1 permit tcp any any eq http
capture caphttp access-list acl1 packet-length 74 interface outside buffer
This will help capture the first 74 bytes of each packet that is either destined to port 80 or a reply from port 80.
"show capture caphttp" will display the packet headers captured.
However, there will be a lot of web-traffic and the buffer (by default 512 kb) might get overrun really fast.
I hope this helps.
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.
The capture process does not generally consume a lot of cpu. It only uses up some of the memory being used to store the capture.
This capture can be downloaded from the buffer to a file.
But i think the only way to capture all files continuously would be to have a setup like this: (slightly complicated option)
Internet ------------- Switch/Hub --------------- PIX -------------- Inside
And connect a computer to the switch/hub and run wireshark or a similar packet sniffing tool on it.
If it is a switch, then you would have to span the port connected to the PIX. A Hub would always broadcast and thus traffic would be seen on the computer as well.
Please let me know if this helps.
Thank you again, I really appreciate it.
I don't have any managed switched to SPAN the port of the pix.
I might have a hub somewhere.
So when I use wireshark, I just capture the traffic from the laptop connected to the switch?
If you can explain this in more detail, that would be great.
If you use a hub, any packet that enters the hub from the PIX wire, is sent to both the internet wire and the PC wire.
Similarly, traffic coming from the internet wire, will be sent to both the PIX wire and the PC wire.
The PC, when it has wireshark running on it, would be able to see these packets, and you would be able to analyze the capture to see what traffic is present.
However, I wouldn't recommend having this as a permanent or long-term setup, but just for periodic logging.
I hope this helps. Feel free to post any further queries you may have.
PS: Please mark the question resolved, if you feel it has been answered. Do rate helpful posts.
Shrikant, thanks again for the help, I really appreciate it.
So if I have a managed switch, all I need is to mirror the port (#1) that is connected to the pix to another port (#2) and have a laptop running wireshark connected to the mirrored port (# 2), right?
This will give me all the packets sent from the LAN to the firewall and then from the firewall to the internet. right?