Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1428
Views
0
Helpful
6
Replies

ASA 5508X - Traffic capture not working on specific port

Infuscomus
Level 1
Level 1

‎09-13-2017 04:35 AM - edited ‎02-21-2020 06:18 AM

I have an ASA5508X with 8 ports.

1/1 is WAN (172.16.0.1 to router)

1/2 is LAN (192.168.1.1 to switch)

1/3 is directly connectd (10.0.01) to a PC I want to use for monitoring traffic (10.0.0.2).

1/1 and 1/2 have complex access lists on them.

On 1/3 I created an ACL to allow all IP traffic from PC

I have tried using the ASDM wizard from the GUI to monitor one of the 2 interfaces. It did not work.

Here is what I did:

- I started the wizard and selected the ingress inside 1/2 interface with 0.0.0.0 as both source and destination (that should be all traffic, correct ?)

- I selected the engress monitoring 1/3 interface with 0.0.0.0 as both source and destination

- I pressed next 2 times until the menu that can start the traffic capture

- I pressed start to capture traffic. Getting capture buffer works.

- On the destination PC I stared wireshark and selected the 10.0.0.2 NIC to capture traffic. Nothing is captured. I see only a few ARP CISCO broadcasts from time to time but no actual traffic is shown.

 

What went wrong ?

 

Labels:
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-13-2017 04:49 AM

That would only select traffic destined for your PC. Select instead the egress as 1/1 WAN.

 

The ASA will staart capturing traffic and hold it in a local buffer. You can then download that onto your PC and examine it in Wireshark. If you tell your ASDM where to find Wireshark on your PC it will launch automatically for you. The ASDM setting for that is under "Tools > Preferences".

0 Helpful

Infuscomus
Level 1
Level 1
In response to Marvin Rhoads

‎09-13-2017 10:02 PM - edited ‎09-13-2017 10:04 PM

ASDM runs from a different system, not the PC connected directly to the firewall.

The objective is not to capture traffic on the PC running ASDM, but to capture it long-term on the connected to firewall PC. That would mean almost continous flow, not a buffer capture and paste.

Basically, I want an equivalent of port mirroring (I want to mirror WAN interface to Monitoring one), like it can be done on Catalyst swtiches with switchport command. How can I accomplish this on an ASA 5508X ?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Infuscomus

‎09-14-2017 05:26 AM

Sorry but ASAs don't offer a port mirroring / span type of feature.

0 Helpful

Infuscomus
Level 1
Level 1
In response to Marvin Rhoads

‎09-14-2017 09:50 PM

I know it does not support port mirroring like the switches, but is there a way to have real time traffic monitoring ?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Infuscomus

‎09-15-2017 12:10 AM

The closest equivalent feature is the ability to do a packet capture on the ASA itself. However that is intended for occasional troubleshooting use, not for persistent or ongoing redirection of traffic.

 

As far as ongoing monitoring, on the ASA platform either syslog or netflow is intended to serve that purpose.

0 Helpful

Infuscomus
Level 1
Level 1
In response to Marvin Rhoads

‎09-21-2017 12:47 AM

I would of liked a complete capture like a Catalyst switch can do.

Can the syslog be configured to act as close as possible to that ? If so, how ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card