Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14907
Views
0
Helpful
5
Replies

Packet Capture command on cisco ASA

sambillings459
Level 1
Level 1

‎08-14-2017 05:51 AM - edited ‎03-12-2019 02:49 AM

Hello Experts,

Can you guys please explain me..what is the best way to put the packet capture command on Cisco ASA.

1.When the traffic is going from inside to outside (which interface would be the best to capture the traffic)..?

2.When the traffic is going coming from outside to inside(which interface would be the best to capture the traffic)..?

The only reason I'm getting confused is because we do have NAT configuration on ASA sometimes and this makes me scratch my head.

I would really appreciate if you guys can please explain me this.

Thanks

Sam

Labels:
0 Helpful
5 Replies 5

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎08-14-2017 07:01 AM

Hi Sam,

When traffic is outbound that is from inside:

packet-tracer input inside icmp <ip of inside host> 8 0 <ip of the outside host> detailed

When traffic is inbound :

packet-tracer input outside tcp <any host from the outside> <random TCP Port> <mapped IP/NAT-IP> <port> detailed

packet-tracer input outside tcp 4.2.2.2 7878 2.2.2.2 443 detailed

So in the destination, you would typically use a NAT IP rather than the real IP.

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful

sambillings459
Level 1
Level 1
In response to Aditya Ganjoo

‎08-14-2017 09:07 AM

Hi Aditya,

Thank you for replying...

Actually I'm looking for packet capture command for e.g.

capture cap-in match tcp host 1.1.1.1 host 2.2.2.2 eq  80

Thanks

Sam

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to sambillings459

‎08-14-2017 09:20 AM

Hi Sam,

My bad :)

If you need the packet capture for outbound traffic and inbound traffic you need to capture in both the directions:

Ingress capture:

capture capin interface inside match ip host <> host <>

This match statement is bi-directional.

In case there is NAT then you need to make a slight change.

Let's say you have a dynamic NAT for internet access for inside users and traffic is not working:

Something like this:

object-network obj-10.0.0.0

subnet 10.0.0.0 255.255.255.0

nat (inside,outside) dynamic 1.1.1.1

capture cap interface inside match tcp host 10.0.0.1 host 4.2.2.2 eq 80

capture capo interface outside match tcp host 1.1.1.1 host 4.2.2.2 eq 80

This would capture the traffic on both the interfaces and you would know in which direction the traffic is working or not.

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful

sambillings459
Level 1
Level 1
In response to Aditya Ganjoo

‎08-14-2017 10:08 AM

Hi Aditya,

Thank you for replying.. really appreciate your effort 

can you please give me some good links to documents which would help me in understanding these things.

Thanks again

Thanks

Sam

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to sambillings459

‎08-14-2017 09:17 PM

Hi Sam,

Here are some links:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

https://www.tunnelsup.com/packet-captures-on-cisco-asa/

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card