02-26-2013 05:58 AM - edited 03-11-2019 06:05 PM
I've used cisco for some time now, and are realy happe with it, but there is one thing i need to get a hang of..
Traffic from one vlan going out to internet, and traffic comming back...
All i see is traffic comming from 1 ip out on internett going to my external ip on any given port.
Is there a way i can wee what inside ip address it's going against and what inside ip it's comming from ??
We have a asa5510 with aprox 8 vlan's on the inside and it would be nice to see what user is causing the internet traffic and why there are so many hit's on the firewall :-)
Thnks for any help
Thomas
pst not to good on command, mainly used gui :-)
02-26-2013 06:05 AM
Hi,
I wasnt quite sure what this post was about until I checked the actual post
You could check the ASDM (GUI) to possibly view some top user information
Try if you can find the information with the following
Other than that I usually use the CLI and Syslogs to find who is causing alot of traffic.
Hope this helps
- Jouni
02-26-2013 06:12 AM
that one is on ofcourse :-)
What about traffic that's beeing stopped, is it possible to see where it was trying to go ??
like if one user starts up some torrent program, can i see where the traffice is trying to go so i can stop the download ?
If i just now all out of the blue have a massive traffic on my firewall, can i somehow check where the traffic is going ?
02-26-2013 06:21 AM
Hi,
I think there is probably no clean and easy way to do that on the ASA itself.
You would probably either have to just go through Syslogs on all the formed connections or track down hosts that have several active connections.
You could also parse the log messages on a Syslog server for all the "Deny" messages etc.
I usually do this through CLI.
Easiest way to find the basic torrent user is to monitor for a host with several high port UDP connections.
Then you can naturally take a packet capture from the ASA itself and see if there is Bittorrent traffic from the source hosts.
None of these are really a easy way to monitor traffic. I guess you would need something additional if you wanted to make the monitoring of traffic easier.
- Jouni
02-26-2013 06:34 AM
well i've used wireshark earlier and it's ok, but not sure how to capture what i need :-)
Say i have and external 30.30.30.x ip net, and of thoose ip's i want to know traffic going to 30.30.30.10 on the outside and the gateway for the inside net i want to "inspect" is 192.10.0.1
what do i then do to check where the traffic hitting 30.30.30.10 ends up in 192.10.0.X nett :-)
What i need to know is if it ends up at 192.10.0.123 or 192.10.0.19 :-)
02-26-2013 06:47 AM
Hi,
A basic packet capture configuration for ASA could look something like this
access-list TRAFFIC-CAPTURE permit ip 10.10.10.0 255.255.255.0 any
access-list TRAFFIC-CAPTURE permit ip any 10.10.10.0 255.255.255.0
capture TRAFFIC-CAPTURE type raw-data access-list TRAFFIC-CAPTURE interface inside buffer 33500000 circular-buffer
Where
Naturally the above ACL is VERY broad. You can change the capture to only capture one "host" traffic. Or only capture TCP or UDP traffic only. You can limit to some certain destination IP addresses. Just control as you like with the ACL.
To show if traffic is hitting the capture
show capture
To show a specific capture and its contents
show capture
To copy a capture to external TFTP server
copy /pcap capture:
To remove a capture from ASA
no capture
Hopefully the above information has been helpfull. Please do rate if it has been and naturally ask more if needed.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide