10-26-2012 01:06 AM - edited 03-11-2019 05:14 PM
Hi Security Experts,
Is there a way we can find out on what all ports is the Cisco ASA allowing/dropping connections between two hosts (each host on a different interface on firewall). I am interested in finding out what all requests come from one host (destined towards the other) and on what ports? What ASA allowed and what it dropped? Is there some easy way to do this? I think we can do it using ACL, but I dont want to go on that path.
Please let me know if there is some better way to do this.
Thanks,
Kashish
10-26-2012 01:09 AM
You can use packet tracer command to find out the ports which are enabled/disabled
10-26-2012 01:12 AM
That is not very scalable and I don't want to run packet tracer for all bunch of ports.
Is there any other better way?
10-26-2012 03:42 AM
Capture through ASA is the only method for which you go for so as to meet your detailed and specific requirement.
Syntax would be
access-list capture1 extended permit ip source destination
access-list capture2 extended permit ip destination source
capture capi1 access-list capture1 interface (Interface in which traffic entering)
capture capi2 access-list capture2 interface (Interface from which traffic leaving)
Please rate this if you find it helpful !!
10-26-2012 11:34 AM
Why dont you use a scanning tool? like Nmap as an example from the client ip address you want to test to the destination address.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide