You can also enable the HTTPs server on the ASA (if no TFTP available) and do:
https://<ip>/capture/<name>/pcap Mike From: [email protected] Date: Sat, 4 Aug 2012 00:26:27 -0400 To: [email protected] CC: [email protected] Subject: Re: [OSL | CCIE_Security] Packet Capture without ACL::::Re: ASA with two Syslog Server There is a small typo in the actual text: Following is a small document *that I wrote for* my operations and support team related to Packet Capture on Cisco ASA without using ACLs. I thought of sharing with you guys. Wrong: 70.38.130.136=DESTINATION AddressCorrect: 170.138.131.136= DESTINATION Address.. FNK On Sat, Aug 4, 2012 at 12:06 AM, Fawad Khan <[email protected]> wrote: Following is a small document for my operations and support team related to Packet Capture on Cisco ASA without using ACLs. I thought of sharing with you guys. ============================= Following are exec mode commands, that can be used by to capture data from an ASA firewall without using Access-list and with CONFIG mode. CAPTURE 1_inbound to firewall. capture SRV2_WEB_INBOUND interface outside buffer 5555550 match ip 10.104.206.40 255.255.255.255 170.138.131.136 255.255.255.255 SRV2_WEB_INBOUND= Capture name, can be any Outside= interface name, must be specific from where the SOURCE is entering the firewall. Could be inside, outside. Buffer=buffer size of the capture, 5555550 this is worth 5.5 Mega BYTES. It can be lower, but definitely not bigger because this capture is stored in the firewall which has limited space. Match= means what type of protocol, could be IP, UDP, TCP,ICMP etc. 10.104.206.40 = SOURCE address 70.38.130.136=DESTINATION Address. CAPTURE21_outbound/return from firewall. capture SRV2_WEB_RETURN interface SRV-prod buffer 5555550 match ip 170.138.131.136 255.255.255.255 10.104.206.40 255.255.255.255 For the return traffic, the only difference from Capture 1 is that interface is changed from outside to SRV-prod (which is DMZ). Also the source is 170.138.131.136 now, instead of the 10.104.206.40 as source…. The destination is 10.104.206.40 . How to view the capture on the firewall: Show capture CAP_NAME How to retrieve captures from the firewall to TFTP Copy /pcap capture: tftp: Source capture name []? CAP_NAME Address or name of remote host []? IP_ADD_OF_TFTP_SERVER(1.1.1.1) Destination filename [CAP_NAME]? CAP_NAME.pcap <<<<<<<<< don’t forget to add ‘.pcap’ in DESTINATION FILENAME else wire shark wont identify it. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Compeleted. FNK On Wed, Jun 27, 2012 at 2:21 PM, parvez ahmad <[email protected]> wrote: _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
