cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1441
Views
0
Helpful
10
Replies

Cisco ASA 5545x Mirror Traffic to a VM

ExceedingLife
Level 1
Level 1

Hello All,

I currently have a Cisco ASA 5545x with FirePOWER setup and working. Now I am looking at setting up an IDS (Security Onion) and I would like to mirror all of our traffic and send it over to the IDS for analysis.

The thing is... I have no idea how to setup traffic mirroring on this switch.

We have Cisco ASDM to do all the configuration of our switch and firewall. We also have a separate VM with FireSight for all of our policies. 

Any help would be hugely appreciated with this.

10 Replies 10

balaji.bandi
Hall of Fame
Hall of Fame

what switch is this cisco switch, if so you can SPAN the port as mentioned below :

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads
Hall of Fame
Hall of Fame

The ASA (which is a firewall, not a switch) cannot mirror traffic. You have to configure the upstream or downstream switch to so similar to what @balaji.bandi recommended.

ExceedingLife
Level 1
Level 1

so im not sure what exactly our switch is...

In our server room we have 4 Cisco Catalyst 3750 X switch looking devices.

We have the ASA 5545-x and a cisco 2500 wireless controller

All I know is that if i want to block IPs, create tunnels, and other stuff I use the:

Cisco ASDM-IDM Launcher. it says v1.8 on the login.

But when it starts up I see 7.9(1) for ASA. Is this what you are asking?  I was assuming that somewhere in this is where i would create a span port or mirror port that I can send to a specific VM IP address. I use vmware for my vms.

Thank you for the responses

depends what you looking to sniff inside FW or outside FW traffic, then you need to look where they connected in the switch Catalyst 3750 X 

then use my suggested config (source as your inside or outside) destination (the port sniffer connected)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ExceedingLife
Level 1
Level 1

what would you suggest for an IDS Intrustion detection system. Sniffing traffic inside my network? or outside traffic coming in.

Could you give me a rough overview of the process I will be doing.

I assume I will be looking for a specfic port on the switch and turning that port into a SPAN port. Then I will connect that port to the Server that the VM is on? In VMWare I will have to add that port as a NIC interface to the VM? I guess i dont understand this part and how I would do that with a VM in Vmware. 

Is there a way to do this virtual, setting up traffic so it goes to the vm sending all traffic to an IP or... idk

I'm very interested in learning these networking concepts.

Thank you!

This document explain you SPAN/RSPAN/ERSPAN

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html

If devices are connected to the same switch SPAN should work. if another switch to RSPAN work, you like to ship a different plan ERSPAN you need to look.

where is your VM is this ESXI (Physically connected to this switch ), it's worth drawing a small diagram for us to understand?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

johnlloyd_13
Level 9
Level 9

hi,

what traffic do you want to monitor in your IDS? outside/internet or inside/LAN traffic?

is your ASA 5545, IDS and NMS on the same switch? or are these devices on different switches?

note you can sniff/SPAN a specific switch interface or VLAN and also transmit/receive direction.

ExceedingLife
Level 1
Level 1

We have 4 switches, and like 10 servers. I will have to see which server my VM is on. I'm  not 100% sure. I will also see if I can connect the switch I do mirrioring on to the server with the VM.

I want to monitor all internal traffic so if malware is ran on the network or any known viruses we get an alert. Keeping all users internal safe.

Why would an IDS monitor outside internet? j/w for all attacks being ran at our network or??

I am also not sure about my ASA and the switch its cnnected to. What is NMS? We have like 20  vlans and I would like to sniff all of there traffic as its internal.

I'm totally new at this I have never setup and IDS and i know my company could really use one, I cant believe we never had 1 before. We have no knowledge of what is being ran on over 200 machines. We do have an antivirus that does work really good but still an IDS would be must better to visual data.

ExceedingLife
Level 1
Level 1

Thanks for the information so far guys. Now here is another question. I see the ASA has been connecting to my firewall as you guys pointed out. and the ASDM GUI i'm going to guess what is also connecting to the firewall?

How do I connect to one of my 3750-x catalyst switches. How do I find the IP on one of them currently?

ExceedingLife
Level 1
Level 1

So after some fiddling, I was able to finally successfully connect to my switch and the switches connected to it.

So now connecting to my switch I have 1/0/1 - 3/0/24.

I am now not sure which port on this is the Internet coming in that is linked with the other switches or a DC Core Switch. I have a DC Core switch which is what its name is in our server room. It has an ethernet cable that is going back and forth to each of these 3 switches I have linked that I can connect to. How can I figure out what port on the server would be the internet port or the traffic port that all the traffic on the network is going through? 

I want to create a SPAN Port but i'm not sure what the source port would be. How would I figure this part of my equation out?

Review Cisco Networking for a $25 gift card