Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
671
Views
0
Helpful
6
Replies

Packet capture on outside help

Go to solution
Andy White
Level 3
Level 3

‎06-19-2014 01:32 AM - edited ‎03-11-2019 09:20 PM

Hello,

 

I have a webserver on the DMZ and I want to capture all source traffic going to it's public IP.  I have used the ASDM packet capture before, but can't seem to get this traffic to show up.

 

My webserver is on (example) 80.170.156.86 (Outside) and translates to 172.32.1.3 (DMZ1)

I did this, but the output is empty.

! outside

! Apply ingress  capture on the outside interface.
capture asdm_cap_ingress match udp  0.0.0.0 0.0.0.0 80.170.156.86 255.255.255.255
capture asdm_cap_ingress packet-length 1522 buffer 524288
capture asdm_cap_ingress interface outside


! DMZ1

! Apply egress  capture on the DMZ1 interface.
capture asdm_cap_egress match udp  172.32.1.3 255.255.255.255 0.0.0.0 0.0.0.0
capture asdm_cap_egress packet-length 1522 buffer 524288
capture asdm_cap_egress interface DMZ

 

Any ideas?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nkarthikeyan
Level 7
Level 7
In response to Andy White

‎06-19-2014 03:00 AM

Hi White.

Yeah... For the traffic initiated from outside.... You can try the below one and see.... If this doesn't give the desired result.... we can try with other options....

access-list out_to_dmz permit udp any host <80.x.x.x>

capture dmztoout interface outside access-list out_to_dmz buffer 524288 packet-length 1522

 

But for this some traffic needs to be going thru for that server.

 

 

HTH

 

Regards

Karthik

View solution in original post

0 Helpful
6 Replies 6

Go to solution
nkarthikeyan
Level 7
Level 7

‎06-19-2014 02:19 AM

Hi,

 

Can you try like this??

access-list dmz_to_out permit udp host 172.32.1.3 any

capture dmztoout interface dmz1 access-list dmz_to_out buffer 524288 packet-length 1522

 

You can do vice versa for the inbound towards server

access-list out_to_dmz permit udp any host <80.x.x.x>

capture dmztoout interface outside access-list out_to_dmz buffer 524288 packet-length 1522

 

Regards

Karthik

0 Helpful

Go to solution
Andy White
Level 3
Level 3
In response to nkarthikeyan

‎06-19-2014 02:49 AM

I am particularly interested in what is coming it from the outside interface to this server, is this ingress to the outside interface?.

What public IPs are connecting to this server?

 

Thanks

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to Andy White

‎06-19-2014 03:00 AM

Hi White.

Yeah... For the traffic initiated from outside.... You can try the below one and see.... If this doesn't give the desired result.... we can try with other options....

access-list out_to_dmz permit udp any host <80.x.x.x>

capture dmztoout interface outside access-list out_to_dmz buffer 524288 packet-length 1522

 

But for this some traffic needs to be going thru for that server.

 

 

HTH

 

Regards

Karthik

0 Helpful

Go to solution
Andy White
Level 3
Level 3
In response to nkarthikeyan

‎06-19-2014 03:18 AM

Thanks, all working plus I've imported into wireshark.

Other than a packet capture to "see what is happeing" do you use "sh conn"?

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to Andy White

‎06-19-2014 03:27 AM

Hi White,

 

Sh conn will give you the connection details along with flags and flow.

Sh local-host to display the network states of the local host....

 

HTH

Regards

Karthik

0 Helpful

Go to solution
Andy White
Level 3
Level 3
In response to nkarthikeyan

‎06-19-2014 03:35 AM

Thanks,

Do you add any filters to those commands as there is loads of data showing?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card