I have a customer whom has a "permit ip any any statement" configured at the end of an ACL on his inside Firewall. This same statement is not configured on the Firewall that is on the OUtside Perimeter of the network.
Each time I have tried to remove the "permit ip any any " statement , eventually the Mail system will break.
I need to capture what traffic is being passed by this statement, but am not sure how to do so, as the capture command can specify an ACL, but not an individual line from an ACL.
Has anyone ever filtered somehow on just one line of a configured ACL and captured the traffic?
You can put the keyword "log" at the end of the line. Any traffic that matches it will be logged to the buffer/console/vty/syslog (if you have it configured). What I would do is make another ACL statement above that one that has the mail sever IP and log that one only. Logging on an 'IP any any' will generate a lot of log. Like you stated you could capture, just create a new ACL and point the capture to it (it does not have to be applied to an interface to work). Again I would restrict that ACL to the mail server instead of all traffic.
Yes it does seem like this is working. What is interesting is that i see traffic in the capture that should in fact be matching line statements which are configured within the ACL i have applied to an interface to allow the traffic. But I am not getting any hits on the ACL. any idea why this behavior may be occuring?
Also, can you tell me what the letters "P" and "F" mean in the following trace packets from the capture?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...