Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2611
Views
0
Helpful
5
Replies

ASA capture with SFR

Go to solution
markus.albisser1
Level 1
Level 1

‎12-21-2020 05:27 AM

Dear all

 

I have a short question to you guys, when I run a capture on the outside (Internet) interface of an ASA-5545 (the ASA has the SFR module installed and acts as a NGFW) with the following command:

capture capin interface outside match ip host 100.100.100.100 any

 

And then checking this capture with the command:

show capture capin dump

 

Are the details I see now how this data really enters the interface? Without any applied Service Policy Rules, without any applied ACLs and before the Firepower module would take any actions? Means when I see a certain flag in the dump within the protocol, I can assume this flag has been sent by the source IP address and has not been changed by my ASA firewall within a policy?

 

Of course you have a good article which describes this behavior, where the capture applies to?

 

Thank you

Markus

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-21-2020 07:52 PM

An ASA capture on an interfaces does indeed show you the raw traffic entering the interface, prior to any action potentially taken by the ASA to evaluate the flow or disposition of the packet(s).

View solution in original post

0 Helpful
5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-21-2020 07:00 AM

check below blog will give you some idea what interface using to capture :

 

https://popravak.wordpress.com/2017/03/17/packet-capture-with-sourcefire-cli/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
markus.albisser1
Level 1
Level 1
In response to balaji.bandi

‎12-21-2020 07:40 AM

Hi Balaji

 

Thank you for this link. Helpful troubleshooting steps when logging on the SFR module! This is what I can do, check the logging there and compare it with the capture from the ASA. 

Nevermind, do you know if the ASA capture is really on the ingress of the interface, therefore before the SFR module comes in charge? That the ASA capture gets the raw-data before anything within the ASA has been handled?

 

Thanks

Markus

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to markus.albisser1

‎12-21-2020 08:13 AM - edited ‎12-21-2020 08:13 AM

you need to understand the traffic flow how this process works, and where you capturing.

https://www.ciscopress.com/articles/article.asp?p=2730336&seqNum=7

 

 

image.png

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
markus.albisser1
Level 1
Level 1
In response to balaji.bandi

‎12-21-2020 09:11 PM

Great diagram, thanks Balaji for this post. This is what I looked for. Together with Marvin's answer below, this answers my question.

 

Thank you

Markus

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-21-2020 07:52 PM

An ASA capture on an interfaces does indeed show you the raw traffic entering the interface, prior to any action potentially taken by the ASA to evaluate the flow or disposition of the packet(s).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card