06-16-2009 03:31 PM - edited 03-11-2019 08:44 AM
Hello,
I've been able to find information on setting up a CAPTURE for incoming traffic. However, I am having a hard time setting up a CAPTURE for traffic heading out of my network to the Internet.
Can someone please assist in how I can set this up?
Thank you in advance.
Solved! Go to Solution.
06-17-2009 07:48 AM
Hi Nicholas,
You can do this if you configure the capture on your inside interface. The commands would look something like this:
! Create an ACL to limit the capture to SMTP traffic from your internal host
access-list capin-acl permit tcp host 172.16.x.x any eq 25
access-list capin-acl permit tcp any eq 25 host 172.16.x.x
!
! Configure the capture
!
capture capin access-list capin-acl interface inside packet-length 1518 buffer
This assumes the interface that your host sits on is named "inside". If not, just change "inside" to your interface name. The buffer is optional, but will let you capture more data than the default buffer will hold.
You can then look at the capture with the 'show capture capin' command or download it by browsing to https://
Finally, here is the command reference for the 'capture' command:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c1.html#wp2108895
Hope that helps.
-Mike
06-16-2009 06:33 PM
Hi there Nicholas,
The capture command captures ALL traffic coming in or going out of the interface.
eg
capture blah interface outside
will create a capture file called blah that captures all traffic coming in or leaving the 'outside' interface.
Brad
06-17-2009 04:20 AM
Thanks for the reply Brad..just one follow up question.
I am trying to identify if a system on my LAN is communitucating with port 25 on any server outside of my network. In the capture, I see the address I use for PAT as the source. I need to be able to see their internal address 172.16.x.x. Is this something that can be done with CAPTURE? If so, can you please provide some guidance?
Thanks again.
06-17-2009 07:48 AM
Hi Nicholas,
You can do this if you configure the capture on your inside interface. The commands would look something like this:
! Create an ACL to limit the capture to SMTP traffic from your internal host
access-list capin-acl permit tcp host 172.16.x.x any eq 25
access-list capin-acl permit tcp any eq 25 host 172.16.x.x
!
! Configure the capture
!
capture capin access-list capin-acl interface inside packet-length 1518 buffer
This assumes the interface that your host sits on is named "inside". If not, just change "inside" to your interface name. The buffer is optional, but will let you capture more data than the default buffer will hold.
You can then look at the capture with the 'show capture capin' command or download it by browsing to https://
Finally, here is the command reference for the 'capture' command:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c1.html#wp2108895
Hope that helps.
-Mike
06-17-2009 08:56 AM
Thanks very much! That did the trick.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: