11-02-2011 05:52 AM - edited 03-11-2019 02:45 PM
Hi,
I have been trying to figure out a way to log all packet flow originating from the DMZ segment to our Inside network. There are multiple ways I came across through which this could be achieved.
1) Through the ASDM packet capture wizard - Problem with this...I need the packet flow details covering 2 days. This cant be acheived through the wizard moreover it will increase the CPU utilization of the firewall.
2) Enabling Informational logging at the end of the ACE for DMZ to Inside - Problem....my syslog would not show any hits. Guess I need to enable Debugging mode but wont this increase the CPU?
Apart from the above methods is there a way to achieve my requirement without causing CPU hike?
Regards
Solved! Go to Solution.
11-03-2011 01:36 AM
Hi,
It would be the same as the others, but at the end you put the "headers-only" keywords at the end. The limitation again would be the buffer of the ASA for packet capturing.
Feel free to browse the following document, let me know if it works for you
https://supportforums.cisco.com/docs/DOC-17814
PS, I would still go for SPAN on the switch
Mike
11-02-2011 04:11 PM
Hi.
I wouldnt recomment using the ASA to do this, if it is goin to be for two days. I bet that the ASA wont have that much buffer for that period of time (unless you only capture the headers only and not the payload) I think it would be better if you do it using SPAN on the switch port that connects to the ASA on the DMZ interface, connect a computer, run wireshark and leave it like that for two days.
The capture on the ASA is mainly to analyze specific types of connections.
Mike Rojas
11-03-2011 01:24 AM
Hi Maykol,
Our main requirement is to check what ports are used from the DMZ to the Inside network. Once we gather that information we can restrict access using ACE. I guess the header information will suffice as it would provide me port information.
Can you suggest how I can capture packets containing header information?
Regards
11-03-2011 01:36 AM
Hi,
It would be the same as the others, but at the end you put the "headers-only" keywords at the end. The limitation again would be the buffer of the ASA for packet capturing.
Feel free to browse the following document, let me know if it works for you
https://supportforums.cisco.com/docs/DOC-17814
PS, I would still go for SPAN on the switch
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide