cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1430
Views
0
Helpful
6
Replies

ASA 5508X - Traffic capture not working on specific port

Infuscomus
Level 1
Level 1

I have an ASA5508X with 8 ports.

1/1 is WAN (172.16.0.1 to router)

1/2 is LAN (192.168.1.1 to switch)

1/3 is directly connectd (10.0.01) to a PC I want to use for monitoring traffic (10.0.0.2).

1/1 and 1/2 have complex access lists on them.

On 1/3 I created an ACL to allow all IP traffic from PC

I have tried using the ASDM wizard from the GUI to monitor one of the 2 interfaces. It did not work.

Here is what I did:

- I started the wizard and selected the ingress inside 1/2 interface with 0.0.0.0 as both source and destination (that should be all traffic, correct ?)

- I selected the engress monitoring 1/3 interface with 0.0.0.0 as both source and destination

- I pressed next 2 times until the menu that can start the traffic capture

- I pressed start to capture traffic. Getting capture buffer works.

- On the destination PC I stared wireshark and selected the 10.0.0.2 NIC to capture traffic. Nothing is captured. I see only a few ARP CISCO broadcasts from time to time but no actual traffic is shown.

 

What went wrong ?

 

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

That would only select traffic destined for your PC. Select instead the egress as 1/1 WAN.

 

The ASA will staart capturing traffic and hold it in a local buffer. You can then download that onto your PC and examine it in Wireshark. If you tell your ASDM where to find Wireshark on your PC it will launch automatically for you. The ASDM setting for that is under "Tools > Preferences".

ASDM runs from a different system, not the PC connected directly to the firewall.

The objective is not to capture traffic on the PC running ASDM, but to capture it long-term on the connected to firewall PC. That would mean almost continous flow, not a buffer capture and paste.

Basically, I want an equivalent of port mirroring (I want to mirror WAN interface to Monitoring one), like it can be done on Catalyst swtiches with switchport command. How can I accomplish this on an ASA 5508X ?

Sorry but ASAs don't offer a port mirroring / span type of feature.

I know it does not support port mirroring like the switches, but is there a way to have real time traffic monitoring ?

The closest equivalent feature is the ability to do a packet capture on the ASA itself. However that is intended for occasional troubleshooting use, not for persistent or ongoing redirection of traffic.

 

As far as ongoing monitoring, on the ASA platform either syslog or netflow is intended to serve that purpose.

I would of liked a complete capture like a Catalyst switch can do.

Can the syslog be configured to act as close as possible to that ? If so, how ?

Review Cisco Networking for a $25 gift card