01-07-2015 03:04 PM - edited 03-11-2019 10:18 PM
I have an ASA5555X running 9.0.1 and I've been asked to clean up a policy/ACL that has IP ANY ANY as the last ACE on a busy DMZ interface.
What I'd like to do is packet capture anything that does not match the previous valid access-list entries. That way I can determine what remaining traffic may be legitimate, add rules for the "good" traffic - and deny the rest.
What's the best way to do this?
Thanks
01-07-2015 07:59 PM
Hi,
The best way to do this would be to use the "log" keyword on the "ip any any" and check the specific logs for the ACL log feature 106100 etc for checking which traffic is being allowed using this rules only.
Thanks and Regards,
Vibhor Amrodia
01-23-2015 08:22 AM
Here's how I've done it: setup an acl that denies all the traffic that is allowed through your interface acl, with ip permit any any at the bottom, then use that acl to capture with:
Current outbound acl:
access-list outbound ext per tcp any any eq 80
access-list outbound ext per tcp any any eq 443
access-list outbound ext per ip any any
capture acl:
access-list capout ext deny tcp any any eq 80
access-list capout ext deny tcp any any eq 443
access-list capout ext permit ip any any
capture capout int out access-list capout
Update your capture acl with traffic that you've seen so you don't keep capturing the same traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide