Troubleshooting the ASA tip:

Answered Question
Jun 30th, 2010
User Badges:
  • Bronze, 100 points or more

Troubleshooting the ASA tip:
If you're like me, you perform MANY different tasks throughout the day.
Many times, I am duplicating the same work at different times throughout the day.
It takes a lot of time to figure out and setup a capture session each time I need to determine what is going through my firewall or getting blocked before it gets to my firewall. Finally I realized the same exact traffic flow capture filters were being configured, used and then deleted.
I now have created permanent ACLs to assist troubleshooting the most common tasks.
I perform a sh run, scroll down to the "cap" acl section, highlight syntax, copy and paste, done.



Line 1 of each acl has the syntax to capture my most common data flows.
Line 2 of each acl has the copy syntax to place the captured raw data onto the Wireshark traffic analyzer/TFTP server.


Hugh time saver!
----
---- Please note: Our firewall is under utilized (running at 2%),
---- Performing a capture on your firewall must be deamed safe by     YOU . . . BEFORE      trying this else you could be looking for another job.
---- Remember to terminate your capture when done - no capture #.


access-list cap-research line 1 REMARK capture 1 access-list cap-research int research real det
access-list cap-research line 2 REMAKR copy /pcap capture:1 tftp
!
access-list cap-research line 3 extended deny ip host 10.99.4.1 host 10.99.4.2
access-list cap-research line 4 extended deny ip host 10.99.4.2 host 10.99.4.1
access-list cap-research line 5 REMARK Ignore firewall-to-firewall keepalives
!
access-list cap-research line 6 extended permit ip any host 10.99.4.5
access-list cap-research line 7 REMARK ingress packets on interface Research
!
access-list cap-research line 8 extended permit ip host 10.99.4.5 any
access-list cap-research line 9 REMARK egress packets on interface Research


!################################# for clarity


access-list cap-eng line 1 REMARK capture 2 access-list cap-eng int eng real det
access-list cap-eng line 2 REMARK copy /pcap capture:2 tftp
!
access-list cap-eng line 3 extended deny ip host 10.91.0.1 host 10.91.0.2
access-list cap-eng line 4 extended deny ip host 10.91.0.2 host 10.91.0.1
access-list cap-eng line 5 REMARK Ignore firewall-to-firewall keepalives
!
access-list cap-eng line 6 extended permit TCP any host 10.91.0.33
access-list cap-eng line 7 REMARK ingress packets on interface ENG
!
access-list cap-eng line 8 extended permit TCP host 10.91.0.33 any
access-list cap-eng line 9 REMARK egress packets on interface ENG


!################################# for clarity


access-list cap-inventory line 1 REMARK capture 3 access-list cap-inventory int inventory real det
access-list cap-inventory line 2 REMARK copy /pcap capture:3 tftp
!
access-list cap-inventory line 3 extended deny ip host 10.3.16.1 host 10.3.16.2
access-list cap-inventory line 4 extended deny ip host 10.3.16.2 host 10.3.16.1
access-list cap-inventory line 5 REMARK Ignore firewall-to-firewall keepalives
!
access-list cap-inventory line 6 extended permit UDP any host 10.3.16.15
access-list cap-inventory line 7 REMARK ingress packets on interface inventory
!
access-list cap-inventory line 8 extended permit UDP host 10.3.16.15 any
access-list cap-inventory line 9 REMARK egress packets on interface inventory


Hope this helps

Frank

Correct Answer by Kevin Redmon about 6 years 11 months ago

Frank,


That is a great tip!  You are exactly right.  One other item that makes this easier is the command:


show run access-list | inc cap


This will show all access-lists that are configured that include the word 'cap' - if you have alot of access-lists on your ASA, this one will also save some time and frustrations.  The 'show run | inc ' command can be useful for = static, nat, route, interface, etc.


Please mark this thread as "answered" so others can know to reference it in the future!


Thanks again for the great tip!


Kevin

Correct Answer by Kevin Redmon about 6 years 11 months ago

Frank,


That is a great tip!  You are exactly right.  One other item that makes this easier is the command:


show run access-list | inc cap


This will show all access-lists that are configured that include the word 'cap' - if you have alot of access-lists on your ASA, this one will also save some time and frustrations.  The 'show run | inc ' command can be useful for = static, nat, route, interface, etc.


Please mark this thread as "answered" so others can know to reference it in the future!


Thanks again for the great tip!


Kevin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Kevin Redmon Wed, 06/30/2010 - 13:42
User Badges:
  • Cisco Employee,

Frank,


That is a great tip!  You are exactly right.  One other item that makes this easier is the command:


show run access-list | inc cap


This will show all access-lists that are configured that include the word 'cap' - if you have alot of access-lists on your ASA, this one will also save some time and frustrations.  The 'show run | inc ' command can be useful for = static, nat, route, interface, etc.


Please mark this thread as "answered" so others can know to reference it in the future!


Thanks again for the great tip!


Kevin

Correct Answer
Kevin Redmon Wed, 06/30/2010 - 13:42
User Badges:
  • Cisco Employee,

Frank,


That is a great tip!  You are exactly right.  One other item that makes this easier is the command:


show run access-list | inc cap


This will show all access-lists that are configured that include the word 'cap' - if you have alot of access-lists on your ASA, this one will also save some time and frustrations.  The 'show run | inc ' command can be useful for = static, nat, route, interface, etc.


Please mark this thread as "answered" so others can know to reference it in the future!


Thanks again for the great tip!


Kevin

Actions

This Discussion