07-13-2007 05:10 AM
how to trace a particluar ip which is hitting the pix nating ip quite frequently,how to use the log in formation,with date,
07-13-2007 07:26 AM
The best way to trace a particular IP is throught the use of the capture statement... First, you define an ACL to look for the specific traffic you are interested in. Then, you assign your ACL to a cap and applyt he capture to the interface you want. Here is an example:
access-list cap extended permit ip host 1.1.1.1 host 2.2.2.2
capture cap access-list cap interface outside
07-13-2007 08:12 AM
Thanks for the reply.
my nat ip is 41.x.x.x assigned to the internal 172.x.x.x.now i need to capture the 172.x.x.x series traffic.now give the config for the acl and config of the interface.what's the command to see the output
07-13-2007 08:16 AM
What is the destination of the traffic? Are you interested in inbound or outbound traffic or both?
07-14-2007 02:18 AM
hi walker,
The destination of the traffic is to the internal router.
interested in both.we are using this pix only for nating,asa5510.
07-16-2007 06:57 AM
Here you go...
access-list cap1 extended permit ip any host 41.1.1.1(router's public IP)
access-list cap1 extended permit ip host 41.1.1.1 any
access-list cap2 extended permit ip any host 172.16.1.1 (router's internal IP)
access-list cap2 extended permit ip host 172.16.1.1 any
capture cap1 access-list cap1 interface outside
capture cap2 access-list cap2 interface inside
To see captures..
show capture cap1
show capture cap2
********* PLEASE RATE***************
Cheers
Jay
07-16-2007 10:28 AM
thanks, i am able to capture the outside traffic whereas inside,it says no packets captured....
07-16-2007 02:37 PM
Then either your traffic is not getting through the firewall.... Or you didn't make the access list correctly. Or you didn't apply the access list to the inside with the capture command.
Check those 3 things.
07-17-2007 12:30 AM
thanks ,i am able to capture on both.i need to capture the complete traffic both inside &outside interfaces and store in to an ftp directory,how to do it??
now its getting only 958 packets,if i need to capture for a day continous.how to go about that????
07-17-2007 06:27 AM
You can download the captures in a format viewable with Ethereal. Here is how you do it..
1. Open Internet Explorer
2. Browse to https://
3. Save file
4. Open using Ethereal.
You can capture as much as you want..
As always.. Please rate!!
Thanks
Jay
07-17-2007 11:03 PM
thanks,i have just given the outside &inside ip of the interface to the access list,
how to view the syslog messages of the pix?we r using linux..
07-17-2007 11:26 PM
This can be done on any pc on the lan.i have installed wireshark.
and i tried to browse to the https given.i just no page to display...
rgds,
prasanna
07-18-2007 06:20 AM
Sorry the actual URL you need is https://
** Make sure you replace those two sections in the URL I mention...
07-19-2007 08:00 AM
i tried with the command in my local pc ,its not working.
https://172.25.0.5/capture/cap2/pcap
the ip given happens tobe internal ip of my pix interface.created the acl for this
expecting ur reply
07-19-2007 08:02 AM
Do you have http access enabled from the inside?
look for the lines like the following in your config... if they are not there, then you will need to add them before it will work
http enable
http 172.25.0.0 255.255.255.0 inside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide