Solved: Cisco ASA packet capture

vsurresh · ‎02-22-2021

Hello.

Is there a way to capture traffic sourced from the ASA itself? For example, how can I capture ICMP unreachable message being sent from the ASA to the Internet?

ASA-------OUTISDE-INTERFACE---------INTERNET

Which ingress interface should I choose while setting up the capture?

EDIT - I tried the below but it didn't work

asa#capture test match icmp any host 93.184.216.34

asat# ping 93.184.216.34
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 93.184.216.34, timeout is 2 seconds:
!!!!!

asat# show capture
capture testtype raw-data [Capturing - 0 bytes]
match icmp any host 93.184.216.34

Thanks

Sheraz.Salim · ‎02-22-2021

Is there a way to capture traffic sourced from the ASA itself? For example, how can I capture ICMP unreachable message being sent from the ASA to the Internet?

ASA-------OUTISDE-INTERFACE---------INTERNET

Which ingress interface should I choose while setting up the capture?

caputer ASP type asp-drop

!

show capture ASP

!

show asp drop

!

capture ICMP interface outside match icmp host x.x.x.x.x any (Where x.x.x.x is your public outside ip address).

!

capture ICMP interface outside match icmp host x.x.x.x.x any  (Where x.x.x.x is your public outside ip address).

74: 14:25:54.551241       81.201.117.87 > mypublicip icmp: net 3.3.3.10 unreachable
  75: 14:25:54.551347       81.201.117.83 > mypublicip icmp: net 3.3.3.2 unreachable
  76: 14:25:54.555757       81.201.117.83 > mypublicip icmp: net 3.3.3.20 unreachable
  77: 14:25:54.555909       81.201.117.87 > mypublicip icmp: net 3.3.3.10 unreachable
  78: 14:25:54.559541       81.201.117.87 > mypublicip icmp: net 3.3.3.2 unreachable
  79: 14:25:54.559617       81.201.117.83 > mypublicip icmp: net 3.3.3.20 unreachable
  80: 14:25:54.566407       81.201.117.87 > mypublicip icmp: net 3.3.3.10 unreachable

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎02-22-2021

Is there a way to capture traffic sourced from the ASA itself? For example, how can I capture ICMP unreachable message being sent from the ASA to the Internet?

ASA-------OUTISDE-INTERFACE---------INTERNET

Which ingress interface should I choose while setting up the capture?

caputer ASP type asp-drop

!

show capture ASP

!

show asp drop

!

capture ICMP interface outside match icmp host x.x.x.x.x any (Where x.x.x.x is your public outside ip address).

!

capture ICMP interface outside match icmp host x.x.x.x.x any  (Where x.x.x.x is your public outside ip address).

74: 14:25:54.551241       81.201.117.87 > mypublicip icmp: net 3.3.3.10 unreachable
  75: 14:25:54.551347       81.201.117.83 > mypublicip icmp: net 3.3.3.2 unreachable
  76: 14:25:54.555757       81.201.117.83 > mypublicip icmp: net 3.3.3.20 unreachable
  77: 14:25:54.555909       81.201.117.87 > mypublicip icmp: net 3.3.3.10 unreachable
  78: 14:25:54.559541       81.201.117.87 > mypublicip icmp: net 3.3.3.2 unreachable
  79: 14:25:54.559617       81.201.117.83 > mypublicip icmp: net 3.3.3.20 unreachable
  80: 14:25:54.566407       81.201.117.87 > mypublicip icmp: net 3.3.3.10 unreachable

please do not forget to rate.

vsurresh · ‎02-22-2021

That worked, thank you