Hi Fawad, Thanks a lot.
I just wanted to know, Is there any command for traffic filter on ASA without interface as we have "*get session src-ip* <PC1> dst-ip <PC2>" on Netscreen Juniper and in checkpoint smart dash board only choose source-ip or destination- ip or ports, same as fortigate like Netscreen? Thanks, Parvez Ahmad On Sat, Aug 4, 2012 at 9:56 AM, Fawad Khan <[email protected]> wrote: > There is a small typo in the actual text: > > Following is a small document *that I wrote for* my operations and support > team related to Packet Capture on Cisco ASA without using ACLs. I thought > of sharing with you guys. > > > Wrong: 70.38.130.136=DESTINATION Address > Correct: 170.138.131.136= DESTINATION Address.. > > FNK > > > On Sat, Aug 4, 2012 at 12:06 AM, Fawad Khan <[email protected]> wrote: > >> Following is a small document for my operations and support team related >> to Packet Capture on Cisco ASA without using ACLs. I thought of sharing >> with you guys. >> >> ============================= >> >> >> Following are exec mode commands, that can be used by to capture data >> from an ASA firewall without using Access-list and with CONFIG mode. >> >> >> >> CAPTURE 1_inbound to firewall. >> >> >> >> capture SRV2_WEB_INBOUND interface outside buffer 5555550 match ip >> 10.104.206.40 255.255.255.255 170.138.131.136 255.255.255.255 >> >> >> >> SRV2_WEB_INBOUND= Capture name, can be any >> >> >> >> Outside= interface name, must be specific from where the SOURCE is >> entering the firewall. Could be inside, outside. >> >> >> >> Buffer=buffer size of the capture, 5555550 this is worth 5.5 Mega BYTES. >> It can be lower, but definitely not bigger because this capture is stored >> in the firewall which has limited space. >> >> >> >> Match= means what type of protocol, could be IP, UDP, TCP,ICMP etc. >> >> >> >> 10.104.206.40 = SOURCE address >> >> >> >> 70.38.130.136=DESTINATION Address. >> >> >> >> >> >> >> >> CAPTURE21_outbound/return from firewall. >> >> >> >> capture SRV2_WEB_RETURN interface SRV-prod buffer 5555550 match ip >> 170.138.131.136 255.255.255.255 10.104.206.40 255.255.255.255 >> >> >> >> >> >> >> >> For the return traffic, the only difference from Capture 1 is that >> interface is changed from outside to SRV-prod (which is DMZ). Also the >> source is 170.138.131.136 now, instead of the 10.104.206.40 as source…. >> The destination is 10.104.206.40 . >> >> >> >> >> >> >> >> How to view the capture on the firewall: >> >> >> >> Show capture CAP_NAME >> >> >> >> >> >> >> >> How to retrieve captures from the firewall to TFTP >> >> >> >> Copy /pcap capture: tftp: >> >> >> >> Source capture name []? CAP_NAME >> >> >> >> Address or name of remote host []? IP_ADD_OF_TFTP_SERVER(1.1.1.1) >> >> >> >> Destination filename [CAP_NAME]? CAP_NAME.pcap <<<<<<<<< don’t >> forget to add ‘.pcap’ in DESTINATION FILENAME else wire shark wont identify >> it. >> >> >> >> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! >> >> >> >> Compeleted. >> >> >> FNK >> >> >> On Wed, Jun 27, 2012 at 2:21 PM, parvez ahmad >> <[email protected]>wrote: >> >>> >>> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
