Here's how I've done it:

kbyrd · ‎01-07-2015

I have an ASA5555X running 9.0.1 and I've been asked to clean up a policy/ACL that has IP ANY ANY as the last ACE on a busy DMZ interface.

What I'd like to do is packet capture anything that does not match the previous valid access-list entries. That way I can determine what remaining traffic may be legitimate, add rules for the "good" traffic - and deny the rest.

What's the best way to do this?

Thanks

Vibhor Amrodia · ‎01-07-2015

Hi,

The best way to do this would be to use the "log" keyword on the "ip any any" and check the specific logs for the ACL log feature 106100 etc for checking which traffic is being allowed using this rules only.

Thanks and Regards,

Vibhor Amrodia

JEFF SPRADLING · ‎01-23-2015

Here's how I've done it: setup an acl that denies all the traffic that is allowed through your interface acl, with ip permit any any at the bottom, then use that acl to capture with:

Current outbound acl:
access-list outbound ext per tcp any any eq 80
access-list outbound ext per tcp any any eq 443
access-list outbound ext per ip any any

capture acl:
access-list capout ext deny tcp any any eq 80
access-list capout ext deny tcp any any eq 443
access-list capout ext permit ip any any

capture capout int out access-list capout

Update your capture acl with traffic that you've seen so you don't keep capturing the same traffic.

Use ASA Packet Capture to eliminate an IP ANY ANY rule