There is a small typo in the actual text: Following is a small document *that I wrote for* my operations and support team related to Packet Capture on Cisco ASA without using ACLs. I thought of sharing with you guys.
Wrong: 70.38.130.136=DESTINATION Address Correct: 170.138.131.136= DESTINATION Address.. FNK On Sat, Aug 4, 2012 at 12:06 AM, Fawad Khan <[email protected]> wrote: > Following is a small document for my operations and support team related > to Packet Capture on Cisco ASA without using ACLs. I thought of sharing > with you guys. > > ============================= > > > Following are exec mode commands, that can be used by to capture data > from an ASA firewall without using Access-list and with CONFIG mode. > > > > CAPTURE 1_inbound to firewall. > > > > capture SRV2_WEB_INBOUND interface outside buffer 5555550 match ip > 10.104.206.40 255.255.255.255 170.138.131.136 255.255.255.255 > > > > SRV2_WEB_INBOUND= Capture name, can be any > > > > Outside= interface name, must be specific from where the SOURCE is > entering the firewall. Could be inside, outside. > > > > Buffer=buffer size of the capture, 5555550 this is worth 5.5 Mega BYTES. > It can be lower, but definitely not bigger because this capture is stored > in the firewall which has limited space. > > > > Match= means what type of protocol, could be IP, UDP, TCP,ICMP etc. > > > > 10.104.206.40 = SOURCE address > > > > 70.38.130.136=DESTINATION Address. > > > > > > > > CAPTURE21_outbound/return from firewall. > > > > capture SRV2_WEB_RETURN interface SRV-prod buffer 5555550 match ip > 170.138.131.136 255.255.255.255 10.104.206.40 255.255.255.255 > > > > > > > > For the return traffic, the only difference from Capture 1 is that > interface is changed from outside to SRV-prod (which is DMZ). Also the > source is 170.138.131.136 now, instead of the 10.104.206.40 as source…. > The destination is 10.104.206.40 . > > > > > > > > How to view the capture on the firewall: > > > > Show capture CAP_NAME > > > > > > > > How to retrieve captures from the firewall to TFTP > > > > Copy /pcap capture: tftp: > > > > Source capture name []? CAP_NAME > > > > Address or name of remote host []? IP_ADD_OF_TFTP_SERVER(1.1.1.1) > > > > Destination filename [CAP_NAME]? CAP_NAME.pcap <<<<<<<<< don’t > forget to add ‘.pcap’ in DESTINATION FILENAME else wire shark wont identify > it. > > > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > > > Compeleted. > > > FNK > > > On Wed, Jun 27, 2012 at 2:21 PM, parvez ahmad <[email protected]>wrote: > >> >>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
