Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1018
Views
0
Helpful
3
Replies

Capture SSH management traffic

Florin Barhala
Level 6
Level 6

‎12-11-2014 06:26 AM - edited ‎03-11-2019 10:12 PM

Hi guys,

I have one ASA 5505 running 8.4(2) with two interfaces:

5505# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method 
Vlan2                    outside                80.82.x.y    255.255.255.252 CONFIG
Vlan600                  inside                 172.16.3.82     255.255.255.248 CONFIG

 

I setup the following captures:

5505# show capture
capture cap1 type raw-data access-list capture1 interface inside [Capturing - 0 bytes] 
capture cap2 type raw-data access-list capture2 interface inside [Buffer Full - 523244 bytes] 
5505# sa capture1
access-list capture1; 2 elements; name hash: 0xb807b4ac
access-list capture1 line 1 extended permit tcp host 172.16.3.82 eq ssh any (hitcnt=0) 0xa74cb20f 
access-list capture1 line 2 extended permit tcp any host 172.16.3.82 eq ssh (hitcnt=0) 0xf1cc97fd 
5505# sa capture2
access-list capture2; 2 elements; name hash: 0xdd27d678
access-list capture2 line 1 extended permit tcp any any eq ssh (hitcnt=30281) 0x0bd72029 
access-list capture2 line 2 extended permit tcp any eq ssh any (hitcnt=32538) 0xdd9e7e84 

 

Trouble is I can't see/catch anything on either of the two capture when I SSH on the inside interface from a site-to-site VPN being done with another ASA.

5505# show ssh sessions 

SID Client IP       Version Mode Encryption Hmac     State            Username
0   172.17.120.170  2.0     IN   aes256-cbc sha1     SessionStarted   florinb
                            OUT  aes256-cbc sha1     SessionStarted   florinb

5505# show run management-access 
management-access inside

 

Any suggestion for this issue?

 

Thanks in advance!

 

P.S. I configured cap1 on the 2nd ASA (that participates on the VPN tunnel) and here I can see traffic passing through the tunnel toward 5505 ASA:

ASA_VPN_endpoint# show capture cap1

75 packets captured

   1: 15:23:23.821872 172.17.120.170.54313 > 172.16.3.82.22: S 1673956627:1673956627(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK> 
   2: 15:23:23.869446 172.16.3.82.22 > 172.17.120.170.54313: S 137067347:137067347(0) ack 1673956628 win 8192 <mss 1380>

Labels:
0 Helpful
3 Replies 3

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎12-12-2014 01:44 AM

Hi,

I don't think you would be able to capture anything on the Outside Interface on the ASA 5505 to which the tunnel is terminating as this is encrypted.

Also , what did you see in the any any captures ?

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Florin Barhala
Level 6
Level 6
In response to Vibhor Amrodia

‎12-12-2014 03:56 AM

Hi mate,

Both captures I attend are on the inside interface.

0 Helpful

Florin Barhala
Level 6
Level 6
In response to Florin Barhala

‎12-12-2014 10:08 AM

Ok, so capture was not working because of the VPN scenario. It is well known that any VPN traffic ends on the outside interface and the same here. 

 

ASA capture will not work/show anything if traffic ends on an interface different the one configured in the command.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card