ASA 5505 Monitor HTTP Traffic

Unanswered Question

Hi,

Any suggestion about how to correctly monitor HTTP Traffic from a certain host ?


I just received a request to log, for a specific period of time, http traffic from a host on the inside network to internet and to generate a sort of human readable output format.


It can either be log to a syslog, FTP etc...


I know how to use filter, but this request got me a little confused.


Any idea ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (1 ratings)
Loading.
John Blakley Mon, 02/16/2009 - 14:03
User Badges:
  • Purple, 4500 points or more

You need to inspect HTTP under your policy map for your ASA to log web addresses that are being accessed. After doing that, you would need to log to a syslog server, and then filter by the IP address that you want. If you have a lot of users, there's not a way that I know of that will allow you to pick just one address. (I don't think you can create an ACL to log against.) So, you could have a ton of traffic coming through that you'd have to filter through.


HTH,


John

jeremyault Thu, 02/19/2009 - 14:50
User Badges:

Create a "capture" file which is easily readable and exportable. I'm assuming you want to know what website IP addresses this inside host is going to???


Easy.


First, create an ACL to watch for traffic to the internet on port 80 from the inside host IP address. Lets call the ACL "http-snoop" and assume the inside IP address is 192.168.1.15 - just for example.


HOST(config)# access-list http-snoop permit tcp host 192.168.1.15 any eq 80


Then, create a capture session - let's call it "watchingyou" - and apply it to the interfaces you want to capture on and reference the above ACL...


HOST(config)# capture watchingyou access-list http-snoop interface inside


Now.. just let it run.


When you want to see what you've captured, just type..


HOST# show capture watchingyou


And you'll see line-by-line each outbound request from that host to the internet on port 80.


When you're done, "no" the capture line above then "no" the access-list. Also, if you do a "show capture" you'll see the remaining capture file and you can "no" that to erase it when you're done.


Hope that helps.


Jeremy Ault


Actions

This Discussion