12-10-2012 01:20 PM - edited 03-11-2019 05:35 PM
Hello all. I recently upgraded my 5520 to 9.0.1 IOS. Today I tried to apply a capture to my inside interface referencing a simple ACL and I get this error.
ERROR: Capture doesn't support access-list <capin> containing mixed policies
I also created a capture for the outside interface with a similar ACL and it worked just fine. I can't seem to find anything on the web that gives me a clue to resolving the error above. Any help would be appreciated.
12-10-2012 02:29 PM
Hi,
Can you share the capture configuration for the capture that is not working
- Jouni
12-10-2012 03:04 PM
Sure. Here is the ACL
access-list capin extended permit ip host 10.7.1.175 any
access-list capin extended permit ip host 10.7.1.176 any
access-list capin extended permit ip any host 10.7.1.176
access-list capin extended permit ip any host 10.7.1.175
Here is the capture config I'm trying to enter with error.
FW01# capture capin access-list capin interface Inside
ERROR: Capture doesn't support access-list
FW01#
I've even tried to reduce the lines in the ACL to a single ACE. No joy.
12-11-2012 04:31 AM
I can assume that this means that you should put in capture ACL only lines, indicating one direction of traffic. So ASA will automatically capture reply packets based on that. In your case probably it worth just leave first two entries.
Plus, u can use capture without using ACLs at all:
ASA(config)# capture CAPTURE match ip host 10.7.1.175 any
ASA(config)# capture CAPTURE match ip host 10.7.1.176 any
It'll capture traffic in both directions.
12-11-2012 04:57 AM
I found out late last night from TAC that the error I posted is because the ANY keyword is referencing ipv4 and ipv6. The ACL syntax should read ANY4 to specify ipv4 only in my case. I'll test this later today. Thanks Andrew. You are correct but your post didn't explain why I was receiving the error I was getting.
Sent from Cisco Technical Support iPhone App
12-11-2012 11:38 AM
Ran into this exact issue, and switching to ANY4 resolved it.
Thanks for posting!
03-30-2013 04:08 AM
had the same problem ! solved using any4, rather then any
thx!
03-30-2013 12:54 PM
Hello you all,
Let me explain you the behavior you are seeing:
As you might know after 7.0(1) the ASA supports IPv6 addresses on their interfaces, so what happens if we want to filter IPv6 traffic with ACL's.
Well we need it to create an ACL with the IPv6 keyword at the beginning.. Such as:
ipv6 access-list Inside_Out permit tcp any host 2001:AAAA::2 eq 80
This means that we had to apply 2 access-groups on an interface if we have both IPv4 and IPv6 addresses and we want to filter traffic.
But here comes the change
After 9.0(1) the ACL structure supports IPv6 ( Hexadecimal notation ) and IPv4 ( Decimal notation ) on the same ACL, so we can still using just one ACL and just one access-group Pretty cool ah??
So that's is why we need to specify on the ACL whether we are going to permit all IPv6 and IPv6 traffic ( ANY) or just IPv6 traffic (Any6) or Just IPv4 traffic (Any4),
Now regarding captures if we use an ACL we must set the Any4 or Any6, The captures after this version 9.0(1) does not support the use of the ANY as it will match both IPv4 and IPv6 at the same time and that is not supported YET
I am thinking about providing a seminar regarding IPv6 and the ASA but I am just waiting for the techonolgy to keep growing and growing so we can have more people attending to that
Anyway if someone else have any question, doubt just let me know,
Hope that I could explain this a little better so you guys have this clear now,
If any of you do not have any questions please mark it as answered and remember to rate all of the helpful posts ( Inluding this one lol )
Regards
Julio Carvajal
Advanced Security Trainer
09-20-2013 02:56 PM
Hi Security gurus
i ran into same issue and corrected using any4
configure mode commands/options:
A.B.C.D Source IP address
X:X:X:X::X/<0-128> Source IPv6 address/prefix
any Abbreviation for source address/mask of
0.0.0.0/0.0.0.0 OR source prefix ::/0
any4 Abbreviation of source address and mask of 0.0.0.0
0.0.0.0
any6 Abbreviation for source prefix ::/0
As Julio Carvajal said we cannot mix them as ASA need to know which ipv4 or ipv6 to check
02-10-2014 12:53 PM
Per Cisco:
After release 9.0(1) and higher the ACL structure supports IPv6 ( Hexadecimal notation ) and IPv4
( Decimal notation ) on the same ACL. Regarding captures if we use an ACL we must set the any4 or any6 keyword, The captures after this version 9.0(1) do not support the use of the ANY as it will match both IPv4 and IPv6 at the same time and that is not supported as of yet.
New capture examples:
-----------------------------------------------------------------------------------
<< Inside Interface >>
access-list 191 line 1 extended permit tcp host xxx.xxx.xxx.xxx any4
access-list 191 line 1 extended permit tcp any4 host xxx.xxx.xxx.xxx
capture capin access-list 191 interface inside packet-length 1513
capture capin
capture capin type raw-data
-----------------------------------------------------------------------------------
<< Outside Interface >>
access-list 192 line 1 extended permit tcp host xxx.xxx.xxx.xxx any4
access-list 192 line 1 extended permit tcp any4 host xxx.xxx.xxx.xxx
capture capout access-list 192 interface outside packet-length 1513
capture capout
capture capout type raw-data
-----------------------------------------------------------------------------------
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide