Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
985
Views
0
Helpful
5
Replies

capture traffic falling through to permit any any rule

Go to solution
lcaruso
Level 6
Level 6

‎03-06-2011 06:39 PM - edited ‎03-11-2019 01:01 PM

Hi,

I'm guessing there isn't a way to do this and hoping someone says I'm wrong. I need a way to capture traffic that falls through to the bottom of a given rule set which has a permit any any at the bottom so I can tell what rules implemented above would catch it.

For example, in converting a two PIX dmz to a single ASA dmz where documentation about rules and servers is non-existent or hard to gather, I simply copied the existing rules. Now, I'm looking at the hits with ASDM and seeing there are only a few rules being hit and everything else is falling through to permit any any which was the original policy. Now, I want to tighten the rule set without breaking anything I don't know about.

If I could capture the traffic hit the default allow rule, I'd learn everything I need to know. How can I do this?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎03-06-2011 08:06 PM

Hi,

I think you can do an exact replica of your acl that is applied on the DMZ, but instead of permit just put denys...and then leave the permit any any, those denys should exclude the traffic to be captured and then you will see what is being hit by the permit ip any any.

Hope this helps.

Mike

Mike

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎03-06-2011 08:06 PM

Hi,

I think you can do an exact replica of your acl that is applied on the DMZ, but instead of permit just put denys...and then leave the permit any any, those denys should exclude the traffic to be captured and then you will see what is being hit by the permit ip any any.

Hope this helps.

Mike

Mike
0 Helpful

Go to solution
Pavel Pokorny
Level 1
Level 1
In response to Maykol Rojas

‎03-06-2011 11:19 PM

Hi,

Putting denny disrupts traffic, so this can be bad...

I recommend at the line where is allow any any, start logging what passes:

IE : access-list example line 9 extended permit ip x.x.x.x 255.255.255.0 any  log 4 interval 300

Than you see in your syslog server, which box is trying to communicate, where and on which port.

You can, on that make permit rules and after week or two, there should be no traffic hitting this rule and you can set it to deny and swtich logging off.

HTH

Pavel

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to Pavel Pokorny

‎03-07-2011 12:02 AM

Hi Pavel,

Why would it disrupt traffic if it is only for packet capturing?

Mike

Mike
0 Helpful

Go to solution
Pavel Pokorny
Level 1
Level 1
In response to Maykol Rojas

‎03-07-2011 02:00 AM

Hi,

I don't know, if I understand well, but in your post : but instead of permit just put denys...and then leave the permit any any

This will first disrupt traffic, or not?

Maybe I understand this bad, so please explain your thoughs..

BR

Pavel

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Maykol Rojas

‎03-07-2011 05:30 PM

Hi Mike,

Thanks for your reply. I like your idea and will give that a try. Appreciate it.

Larry

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card