Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
455
Views
0
Helpful
5
Replies

What goes where ???

Thomas_Madsen
Level 1
Level 1

‎02-26-2013 05:58 AM - edited ‎03-11-2019 06:05 PM

I've used cisco for some time now, and are realy happe with it, but there is one thing i need to get a hang of..

Traffic from one vlan going out to internet, and traffic comming back...

All i see is traffic comming from 1 ip out on internett going to my external ip on any given port.

Is there a way i can wee what inside ip address it's going against and what inside ip it's comming from ??

We have a asa5510 with aprox 8 vlan's on the inside and it would be nice to see what user is causing the internet traffic and why there are so many hit's on the firewall  :-)

Thnks for any help

Thomas

pst not to good on command, mainly used gui :-)                  

Labels:
0 Helpful
5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

‎02-26-2013 06:05 AM

Hi,

I wasnt quite sure what this post was about until I checked the actual post

You could check the ASDM (GUI) to possibly view some top user information

Try if you can find the information with the following

  • Login to ASDM
  • Go to "Home" (unless already by default there)
  • Look for the "Firewall Dashboard" Tab above the section which tells your ASA software and other information
  • On the "Firewall Dashboard" section you might need to enable some settings (unless they already are)
    • The section should enable you to gather information on "Top Usage" etc.
    • To my understanding enabling this might increase the load on the ASA unit so take that possibility into account

Other than that I usually use the CLI and Syslogs to find who is causing alot of traffic.

Hope this helps

- Jouni

0 Helpful

Thomas_Madsen
Level 1
Level 1
In response to Jouni Forss

‎02-26-2013 06:12 AM

that one is on ofcourse :-)

What about traffic that's beeing stopped, is it possible to see where it was trying to go ??

like if one user starts up some torrent program, can i see where the traffice is trying to go so i can stop the download ?

If i just now all out of the blue have a massive traffic on my firewall, can i somehow check where the traffic is going ?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Thomas_Madsen

‎02-26-2013 06:21 AM

Hi,

I think there is probably no clean and easy way to do that on the ASA itself.

You would probably either have to just go through Syslogs on all the formed connections or track down hosts that have several active connections.

You could also parse the log messages on a Syslog server for all the "Deny" messages etc.

I usually do this through CLI.

Easiest way to find the basic torrent user is to monitor for a host with several high port UDP connections.

Then you can naturally take a packet capture from the ASA itself and see if there is Bittorrent traffic from the source hosts.

None of these are really a easy way to monitor traffic. I guess you would need something additional if you wanted to make the monitoring of traffic easier.

- Jouni

0 Helpful

Thomas_Madsen
Level 1
Level 1
In response to Jouni Forss

‎02-26-2013 06:34 AM

well i've used wireshark earlier and it's ok, but not sure how to capture what i need :-)

Say i have and external 30.30.30.x ip net, and of thoose ip's i want to know traffic going to 30.30.30.10 on the outside and the gateway for the inside net i want to "inspect" is 192.10.0.1

what do i then do to check where the traffic hitting 30.30.30.10 ends up in 192.10.0.X nett  :-)

What i need to know is if it ends up at 192.10.0.123 or 192.10.0.19  :-)

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Thomas_Madsen

‎02-26-2013 06:47 AM

Hi,

A basic packet capture configuration for ASA could look something like this

access-list TRAFFIC-CAPTURE permit ip 10.10.10.0 255.255.255.0 any

access-list TRAFFIC-CAPTURE permit ip any 10.10.10.0 255.255.255.0

capture TRAFFIC-CAPTURE type raw-data access-list TRAFFIC-CAPTURE interface inside buffer 33500000 circular-buffer

Where

  • TRAFFIC-CAPTURE = Is the ACL that defines the traffic to be captured. The above ACL captures both directions of the traffic when the source is 10.10.10.0/24 and destination is "any" (and vice versa naturally)
  • 10.10.10.0/24 = Is an example LAN network located behind "inside" interface (or is the interface network)
  • inside = Is the interface from which the capture is taken from
  • 33500000 = Is pretty close to the max buffer memory you can have on any ASA firewall for a single capture
    • You can make separate capture for each direction and later attach the capture files using wireshark
  • circular-buffer = Is the setting that will permit the ASA to overwrite the old captured data when the buffer is full. Capture will keep on working but old data will be overwritten as new data is being captured.

Naturally the above ACL is VERY broad. You can change the capture to only capture one "host" traffic. Or only capture TCP or UDP traffic only. You can limit to some certain destination IP addresses. Just control as you like with the ACL.

To show if traffic is hitting the capture

show capture

To show a specific capture and its contents

show capture

To copy a capture to external TFTP server

  •      To be later opened with Wireshark for example

copy /pcap capture: tftp://x.x.x.x/.pcap

To remove a capture from ASA

  • Also removes the collected data

no capture

Hopefully the above information has been helpfull. Please do rate if it has been and naturally ask more if needed.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card