05-14-2013 06:10 PM - edited 03-11-2019 06:43 PM
Hi Everyone,
I config packet capture on my ASA for learning purpose only.
Here is the output
ciscoasa# sh capture CAP detail
14 packets captured
1: 19:00:38.503071 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 70: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: S [tcp sum ok] 3114444719:3114444719(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 128, id 6299)
2: 19:00:38.670024 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: . [tcp sum ok] 3114444720:3114444720(0) ack 3866590340 win 16560 (DF) (ttl 128, id 6300)
3: 19:00:38.670421 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 344: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: P [tcp sum ok] 3114444720:3114445006(286) ack 3866590340 win 16560 (DF) (ttl 128, id 6301)
4: 19:00:38.836825 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: . [tcp sum ok] 3114445006:3114445006(0) ack 3866590786 win 16448 (DF) (ttl 128, id 6302)
5: 19:00:38.837099 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: F [tcp sum ok] 3114445006:3114445006(0) ack 3866590786 win 16448 (DF) (ttl 128, id 6303)
6: 19:00:38.894591 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 70: 802.1Q vlan#1 P0 192.168.52.5.3368 > 195.157.47.7.80: S [tcp sum ok] 2730530586:2730530586(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 128, id 6304)
7: 19:00:38.900206 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 70: 802.1Q vlan#1 P0 192.168.52.5.3369 > 195.157.47.7.80: S [tcp sum ok] 248443417:248443417(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 128, id 6305)
8: 19:00:39.058834 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3368 > 195.157.47.7.80: . [tcp sum ok] 2730530587:2730530587(0) ack 1839683549 win 16560 (DF) (ttl 128, id 6306)
9: 19:00:39.059216 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 355: 802.1Q vlan#1 P0 192.168.52.5.3368 > 195.157.47.7.80: P [tcp sum ok] 2730530587:2730530884(297) ack 1839683549 win 16560 (DF) (ttl 128, id 6307)
10: 19:00:39.064846 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3369 > 195.157.47.7.80: . [tcp sum ok] 248443418:248443418(0) ack 3562924249 win 16560 (DF) (ttl 128, id 6308)
11: 19:00:39.227832 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3368 > 195.157.47.7.80: . [tcp sum ok] 2730530884:2730530884(0) ack 1839684017 win 16443 (DF) (ttl 128, id 6309)
12: 19:00:39.228305 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3368 > 195.157.47.7.80: F [tcp sum ok] 2730530884:2730530884(0) ack 1839684017 win 16443 (DF) (ttl 128, id 6310)
13: 19:00:44.672130 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3369 > 195.157.47.7.80: F [tcp sum ok] 248443418:248443418(0) ack 3562924249 win 16560 (DF) (ttl 128, id 6314)
14: 19:00:44.835283 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3369 > 195.157.47.7.80: . [tcp sum ok] 248443419:248443419(0) ack 3562924250 win 16560 (DF) (ttl 128, id 6319)
14 packets shown
ciscoasa#
Need to know which lines show
syn sent to remote site
syn,ack coming to host
ack going to remote site
Regards
MAhesh
Solved! Go to Solution.
05-15-2013 09:25 AM
Mahesh,
Captures you pasted are unidirectional i.e. flow captured is only for 192.168.52.5 > 195.157.47.7:
Following shows syn and then ack (no syn,ack)
1: 19:00:38.503071 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 70: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: S [tcp sum ok] 3114444719:3114444719(0) win 8192
2: 19:00:38.670024 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: . [tcp sum ok] 3114444720:3114444720(0) ack 3866590340 win 16560 (DF) (ttl 128, id 6300)
Can you paste the commands you added to take captures?
-
Sourav
05-15-2013 01:09 PM
Hi Mahesh,
Add another acl for reverse flow as well:
access-list CAP permit tcp host 195.157.47.7 eq 80 host 192.168.52.6
clear the capture data using 'clear capture cap_name'.
Access the server and check captures.
-
Sourav
05-16-2013 05:00 AM
Mahesh,
Here are the syn, syn-ack, ack for this connection:
1: 17:04:58.488698 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: S 3950215981:3950215981(0) win 8192
2: 17:04:58.654369 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: S 588135039:588135039(0) ack 3950215982 win 5840
3: 17:04:58.654766 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: . ack 588135040 win 16560
S stands for Syn. Frame 2 above is the syn-ack packet coming from server to host.
What do you mean when you say 'i am blocking single website'? How exactly are you trying to block the single website on ASA?
-
Sourav
05-17-2013 05:28 AM
Mahesh,
Rule looks fine. You shouldn't see any traffic going out of ASA in captures. Just clear the captures, clear any existing connections for client machine and try again and see if there are any packets seen on outside interface of ASA.
clear capture
clear connection address 192.168.52.5
-
Sourav
05-15-2013 07:15 AM
I believe the flag letters in front of the "[tcp sum ok]" translate as S=SYN, F=FIN, P=PUSH. The firewall tends to erase URGENT in its default configuration.
-- Jim Leinweber, WI State Lab of Hygiene
09-23-2019 10:52 PM
What does P=Push mean?
05-15-2013 09:25 AM
Mahesh,
Captures you pasted are unidirectional i.e. flow captured is only for 192.168.52.5 > 195.157.47.7:
Following shows syn and then ack (no syn,ack)
1: 19:00:38.503071 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 70: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: S [tcp sum ok] 3114444719:3114444719(0) win 8192
2: 19:00:38.670024 f0bf.97de.4f48 001d.a24d.ed0e 0x8100 58: 802.1Q vlan#1 P0 192.168.52.5.3367 > 195.157.47.7.80: . [tcp sum ok] 3114444720:3114444720(0) ack 3866590340 win 16560 (DF) (ttl 128, id 6300)
Can you paste the commands you added to take captures?
-
Sourav
05-15-2013 12:33 PM
Hi Sourav,
i config only 1 command
access-list CAP permit tcp host 192.168.52.6 host 195.157.47.7 eq 80
Thanks
Mahesh
05-15-2013 01:09 PM
Hi Mahesh,
Add another acl for reverse flow as well:
access-list CAP permit tcp host 195.157.47.7 eq 80 host 192.168.52.6
clear the capture data using 'clear capture cap_name'.
Access the server and check captures.
-
Sourav
05-15-2013 04:09 PM
Hi Sourav,
Here is output of sh capture
ciscoasa# sh capture CAP
26 packets captured
1: 17:04:58.488698 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: S 3950215981:3950215981(0) win 8192
2: 17:04:58.654369 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: S 588135039:588135039(0) ack 3950215982 win 5840
3: 17:04:58.654766 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: . ack 588135040 win 16560
4: 17:04:58.655056 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: P 3950215982:3950216268(286) ack 588135040 win 16560
5: 17:04:58.820926 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: . ack 3950216268 win 54
6: 17:04:58.821780 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: P 588135040:588135485(445) ack 3950216268 win 54
7: 17:04:58.821826 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: F 588135485:588135485(0) ack 3950216268 win 54
8: 17:04:58.823199 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: . ack 588135486 win 16448
9: 17:04:58.823840 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: F 3950216268:3950216268(0) ack 588135486 win 16448
10: 17:04:58.883667 802.1Q vlan#1 P0 192.168.52.5.1354 > 195.157.47.7.80: S 3383221129:3383221129(0) win 8192
11: 17:04:58.884063 802.1Q vlan#1 P0 192.168.52.5.1355 > 195.157.47.7.80: S 2736013711:2736013711(0) win 8192
12: 17:04:58.989618 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: . ack 3950216269 win 54
13: 17:04:59.046826 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1354: S 762110939:762110939(0) ack 3383221130 win 5840
14: 17:04:59.047208 802.1Q vlan#1 P0 192.168.52.5.1354 > 195.157.47.7.80: . ack 762110940 win 16560
15: 17:04:59.047467 802.1Q vlan#1 P0 192.168.52.5.1354 > 195.157.47.7.80: P 3383221130:3383221427(297) ack 762110940 win 16560
16: 17:04:59.050320 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1355: S 443725471:443725471(0) ack 2736013712 win 5840
17: 17:04:59.050671 802.1Q vlan#1 P0 192.168.52.5.1355 > 195.157.47.7.80: . ack 443725472 win 16560
18: 17:04:59.212772 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1354: . ack 3383221427 win 54
19: 17:04:59.213673 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1354: P 762110940:762111407(467) ack 3383221427 win 54
20: 17:04:59.213703 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1354: F 762111407:762111407(0) ack 3383221427 win 54
21: 17:04:59.214130 802.1Q vlan#1 P0 192.168.52.5.1354 > 195.157.47.7.80: . ack 762111408 win 16443
22: 17:04:59.214634 802.1Q vlan#1 P0 192.168.52.5.1354 > 195.157.47.7.80: F 3383221427:3383221427(0) ack 762111408 win 16443
23: 17:04:59.379252 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1354: . ack 3383221428 win 54
24: 17:05:04.660366 802.1Q vlan#1 P0 192.168.52.5.1355 > 195.157.47.7.80: F 2736013712:2736013712(0) ack 443725472 win 16560
25: 17:05:04.825061 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1355: F 443725472:443725472(0) ack 2736013713 win 46
26: 17:05:04.825473 802.1Q vlan#1 P0 192.168.52.5.1355 > 195.157.47.7.80: . ack 443725473 win 16560
So which is syn,ack coming from remote website to host?
Also i am blocking single website is there any reason that 26 lines output is generated for this?
Thanks
Mahesh
05-16-2013 05:00 AM
Mahesh,
Here are the syn, syn-ack, ack for this connection:
1: 17:04:58.488698 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: S 3950215981:3950215981(0) win 8192
2: 17:04:58.654369 802.1Q vlan#1 P0 195.157.47.7.80 > 192.168.52.5.1353: S 588135039:588135039(0) ack 3950215982 win 5840
3: 17:04:58.654766 802.1Q vlan#1 P0 192.168.52.5.1353 > 195.157.47.7.80: . ack 588135040 win 16560
S stands for Syn. Frame 2 above is the syn-ack packet coming from server to host.
What do you mean when you say 'i am blocking single website'? How exactly are you trying to block the single website on ASA?
-
Sourav
05-16-2013 07:23 AM
Hi Sourav,
I was blocking the website by ACL on the ASA.
Thanks
Mahesh
05-16-2013 07:25 AM
Using IP or FQDN?
Can you post the access-list?
-
Sourav
05-16-2013 11:08 AM
Hi Sourav,
I am blocking it by IP say
access-list extended inside deny tcp host 192.168.52.5 host 195.157.47.7 eq 80
Thanks
Mahesh
05-16-2013 11:21 AM
Well, in that case ASA should deny the very first packet sent by client to server i.e. SYN.
Can you post 'show run access-group' and make sure that access-group is indeed applied on inside in outbound directions?
Also, please post output of:
packet-tracer input inside tcp 192.168.52.5 discard 195.157.47.7 80
-
Sourav
05-16-2013 02:41 PM
Hi Sourav,
Currently access group is applied on inside interface -- direction is in.
Do i need to config ACL in out direction on inside interface?
Will post the output shortly.
Thanks
Mahesh
05-16-2013 04:12 PM
Hi Sourav,
Here is current config
access-list inside_access_in extended permit ip any any
access-list CAP extended permit tcp host 192.168.52.5 host 195.157.47.7 eq www log
access-list CAP extended permit tcp host 195.157.47.7 eq www host 192.168.52.5 log
access-group inside_access_in in interface inside
ciscoasa# packet-tracer input inside tcp 192.168.52.5 discard 195.157.47.7 80
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.52.0 255.255.255.0 inside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended deny tcp host 192.168.52.5 host 195.157.47.7 eq www log
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Thanks
MAhesh
05-17-2013 05:28 AM
Mahesh,
Rule looks fine. You shouldn't see any traffic going out of ASA in captures. Just clear the captures, clear any existing connections for client machine and try again and see if there are any packets seen on outside interface of ASA.
clear capture
clear connection address 192.168.52.5
-
Sourav
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide