06-19-2014 01:32 AM - edited 03-11-2019 09:20 PM
Hello,
I have a webserver on the DMZ and I want to capture all source traffic going to it's public IP. I have used the ASDM packet capture before, but can't seem to get this traffic to show up.
My webserver is on (example) 80.170.156.86 (Outside) and translates to 172.32.1.3 (DMZ1)
I did this, but the output is empty.
! outside
! Apply ingress capture on the outside interface.
capture asdm_cap_ingress match udp 0.0.0.0 0.0.0.0 80.170.156.86 255.255.255.255
capture asdm_cap_ingress packet-length 1522 buffer 524288
capture asdm_cap_ingress interface outside
! DMZ1
! Apply egress capture on the DMZ1 interface.
capture asdm_cap_egress match udp 172.32.1.3 255.255.255.255 0.0.0.0 0.0.0.0
capture asdm_cap_egress packet-length 1522 buffer 524288
capture asdm_cap_egress interface DMZ
Any ideas?
Solved! Go to Solution.
06-19-2014 03:00 AM
Hi White.
Yeah... For the traffic initiated from outside.... You can try the below one and see.... If this doesn't give the desired result.... we can try with other options....
access-list out_to_dmz permit udp any host <80.x.x.x>
capture dmztoout interface outside access-list out_to_dmz buffer 524288 packet-length 1522
But for this some traffic needs to be going thru for that server.
HTH
Regards
Karthik
06-19-2014 02:19 AM
Hi,
Can you try like this??
access-list dmz_to_out permit udp host 172.32.1.3 any
capture dmztoout interface dmz1 access-list dmz_to_out buffer 524288 packet-length 1522
You can do vice versa for the inbound towards server
access-list out_to_dmz permit udp any host <80.x.x.x>
capture dmztoout interface outside access-list out_to_dmz buffer 524288 packet-length 1522
Regards
Karthik
06-19-2014 02:49 AM
I am particularly interested in what is coming it from the outside interface to this server, is this ingress to the outside interface?.
What public IPs are connecting to this server?
Thanks
06-19-2014 03:00 AM
Hi White.
Yeah... For the traffic initiated from outside.... You can try the below one and see.... If this doesn't give the desired result.... we can try with other options....
access-list out_to_dmz permit udp any host <80.x.x.x>
capture dmztoout interface outside access-list out_to_dmz buffer 524288 packet-length 1522
But for this some traffic needs to be going thru for that server.
HTH
Regards
Karthik
06-19-2014 03:18 AM
Thanks, all working plus I've imported into wireshark.
Other than a packet capture to "see what is happeing" do you use "sh conn"?
06-19-2014 03:27 AM
Hi White,
Sh conn will give you the connection details along with flags and flow.
Sh local-host to display the network states of the local host....
HTH
Regards
Karthik
06-19-2014 03:35 AM
Thanks,
Do you add any filters to those commands as there is loads of data showing?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide