cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4350
Views
5
Helpful
2
Replies

ASA 5505 Monitor HTTP Traffic

nrnick
Level 1
Level 1

Hi,

Any suggestion about how to correctly monitor HTTP Traffic from a certain host ?

I just received a request to log, for a specific period of time, http traffic from a host on the inside network to internet and to generate a sort of human readable output format.

It can either be log to a syslog, FTP etc...

I know how to use filter, but this request got me a little confused.

Any idea ?

2 Replies 2

John Blakley
VIP Alumni
VIP Alumni

You need to inspect HTTP under your policy map for your ASA to log web addresses that are being accessed. After doing that, you would need to log to a syslog server, and then filter by the IP address that you want. If you have a lot of users, there's not a way that I know of that will allow you to pick just one address. (I don't think you can create an ACL to log against.) So, you could have a ton of traffic coming through that you'd have to filter through.

HTH,

John

HTH, John *** Please rate all useful posts ***

jeremyault
Level 1
Level 1

Create a "capture" file which is easily readable and exportable. I'm assuming you want to know what website IP addresses this inside host is going to???

Easy.

First, create an ACL to watch for traffic to the internet on port 80 from the inside host IP address. Lets call the ACL "http-snoop" and assume the inside IP address is 192.168.1.15 - just for example.

HOST(config)# access-list http-snoop permit tcp host 192.168.1.15 any eq 80

Then, create a capture session - let's call it "watchingyou" - and apply it to the interfaces you want to capture on and reference the above ACL...

HOST(config)# capture watchingyou access-list http-snoop interface inside

Now.. just let it run.

When you want to see what you've captured, just type..

HOST# show capture watchingyou

And you'll see line-by-line each outbound request from that host to the internet on port 80.

When you're done, "no" the capture line above then "no" the access-list. Also, if you do a "show capture" you'll see the remaining capture file and you can "no" that to erase it when you're done.

Hope that helps.

Jeremy Ault

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: