Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1776
Views
0
Helpful
3
Replies

Syslog for logging all packet flow from DMZ to Inside.

Go to solution
Sundeep Dsouza
Level 1
Level 1

‎11-02-2011 05:52 AM - edited ‎03-11-2019 02:45 PM

Hi,

I have been trying to figure out a way to log all packet flow originating from the DMZ segment to our Inside network. There are multiple ways I came across through which this could be achieved.

1) Through the ASDM packet capture wizard - Problem with this...I need the packet flow details covering 2 days. This cant be acheived through the wizard moreover it will increase the CPU utilization of the firewall.

2) Enabling Informational logging at the end of the ACE for DMZ to Inside - Problem....my syslog would not show any hits. Guess I need to enable Debugging mode but wont this increase the CPU?

Apart from the above methods is there a way to achieve my requirement without causing CPU hike?

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to Sundeep Dsouza

‎11-03-2011 01:36 AM

Hi,

It would be the same as the others, but at the end you put the "headers-only" keywords at the end. The limitation again would be the buffer of the ASA for packet capturing.

Feel free to browse the following document, let me know if it works for you

https://supportforums.cisco.com/docs/DOC-17814

PS, I would still go for SPAN on the switch

Mike

Mike

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎11-02-2011 04:11 PM

Hi.

I wouldnt recomment using the ASA to do this, if it is goin to be for two days. I bet that the ASA wont have that much buffer for that period of time (unless you only capture the headers only and not the payload) I think it would be better if you do it using SPAN on the switch port that connects to the ASA on the DMZ interface, connect a computer, run wireshark and leave it like that for two days.

The capture on the ASA is mainly to analyze specific types of connections.

Mike Rojas

Mike
0 Helpful

Go to solution
Sundeep Dsouza
Level 1
Level 1
In response to Maykol Rojas

‎11-03-2011 01:24 AM

Hi Maykol,

Our main requirement is to check what ports are used from the DMZ to the Inside network. Once we gather that information we can restrict access using ACE. I guess the header information will suffice as it would provide me port information.

Can you suggest how I can capture packets containing header information?

Regards

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to Sundeep Dsouza

‎11-03-2011 01:36 AM

Hi,

It would be the same as the others, but at the end you put the "headers-only" keywords at the end. The limitation again would be the buffer of the ASA for packet capturing.

Feel free to browse the following document, let me know if it works for you

https://supportforums.cisco.com/docs/DOC-17814

PS, I would still go for SPAN on the switch

Mike

Mike
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card