Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
567
Views
5
Helpful
3
Replies

PIX Port Monitoring

mo shea
Level 1
Level 1

‎06-28-2005 09:31 AM - edited ‎02-21-2020 12:14 AM

Hi....

We have an application installed on a server in our LAN and need to connect to another server over WAN through the local PIX (525). Is it possible to know from the firewall log information sent to a syslog server which ports this application is trying to open, since most of the ports are closed accordind to our policy and we do not not exactly which ports to open for this application.

Are there any other ways to do that.

Thanks

0 Helpful
3 Replies 3

nkhawaja
Cisco Employee
Cisco Employee

‎06-28-2005 09:42 AM

the best is to use capture command and capture traffic on the inside interface , then open up the capture in ethereal.

Capture packets between host A & B traversing across both the inside and outside interfaces

Step #1 - Packet capture traversing the inside interface

access-list capture_in permit host A host B

access-list capture_in permit host B host A

capture inside access-list capture_in buffer 2000000 interface inside packet-length 1500

(This capture command will capture packets 1500 bytes or less in size with a maximum files size of 2 Mb)

Step #2 - Packet capture traversing the outside interface

access-list capture_out permit host A host B

access-list capture_out permit host B host A

capture outside access-list capture_out buffer 2000000 interface outside packet-length 1500

Two Methods for Retrieving the packet capture from the PIX

Option #1 - Retrieve the pcap format file from the Pix by browsing to the PIX.

Step #1 - If http services are not on then issue the "setup" command and run through the prompts.

Step #2 - Next open a browser and then https:///capture/

(example - https://172.16.171.49/capture/inside/pcap)

Option #2 - Send a pcap format file from the PIX to a tftp server.

Step #1 - Start the tftp application and set the TFTP root directory where the file will be sent.

Step #2 - next issue the following command on the PIX "copy capture: tftp:///temp pcap"

(example - copy capture:inside tftp://172.16.89.8/temp pcap)

(example - copy capture:outside tftp://172.16.89.8/temp pcap)

Viewing the capture buffer on the PIX

If the capture_name is specified, then it displays the capture buffer contents for that capture.

Issue "show capture " to see the capture buffer

Reset and Remove the capture command

To clear the capture buffer enter the following clear capture command

clear capture inside

clear capture outside

mo shea
Level 1
Level 1
In response to nkhawaja

‎06-29-2005 05:42 AM

Hi...

Thanks for the reply

I have two more questions, Is an access-group statement required for the ACLs in the above config?

Is there a possibility to get a rough idea from syslog messages regarding ports the application is trying to open or a capture would only do it.

Thanks again

0 Helpful

paddyxdoyle
Level 6
Level 6
In response to mo shea

‎06-29-2005 06:16 AM

Hi,

"capture outside access-list capture_out buffer 2000000 interface outside packet-length 1500" is the command that applies the access list to the capture buffer so you don't need to use the access-group statement.

Yes you should be able to see which ports are being permitted and denied from the syslog although i would recommend using an external syslog server to do this otherwise it can be quite difficult to achieve this on a PIX with a lot of traffic passing through.

HTH

PJD

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card