Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Syslog for logging all packet flow from DMZ to Inside.

Hi,

I have been trying to figure out a way to log all packet flow originating from the DMZ segment to our Inside network. There are multiple ways I came across through which this could be achieved.

1) Through the ASDM packet capture wizard - Problem with this...I need the packet flow details covering 2 days. This cant be acheived through the wizard moreover it will increase the CPU utilization of the firewall.

2) Enabling Informational logging at the end of the ACE for DMZ to Inside - Problem....my syslog would not show any hits. Guess I need to enable Debugging mode but wont this increase the CPU?

Apart from the above methods is there a way to achieve my requirement without causing CPU hike?

Regards

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Syslog for logging all packet flow from DMZ to Inside.

Hi,

It would be the same as the others, but at the end you put the "headers-only" keywords at the end. The limitation again would be the buffer of the ASA for packet capturing.

Feel free to browse the following document, let me know if it works for you

https://supportforums.cisco.com/docs/DOC-17814

PS, I would still go for SPAN on the switch

Mike

Mike
3 REPLIES
Cisco Employee

Syslog for logging all packet flow from DMZ to Inside.

Hi.

I wouldnt recomment using the ASA to do this, if it is goin to be for two days. I bet that the ASA wont have that much buffer for that period of time (unless you only capture the headers only and not the payload) I think it would be better if you do it using SPAN on the switch port that connects to the ASA on the DMZ interface, connect a computer, run wireshark and leave it like that for two days.

The capture on the ASA is mainly to analyze specific types of connections.

Mike Rojas

Mike
New Member

Syslog for logging all packet flow from DMZ to Inside.

Hi Maykol,

Our main requirement is to check what ports are used from the DMZ to the Inside network. Once we gather that information we can restrict access using ACE. I guess the header information will suffice as it would provide me port information.

Can you suggest how I can capture packets containing header information?

Regards

Cisco Employee

Syslog for logging all packet flow from DMZ to Inside.

Hi,

It would be the same as the others, but at the end you put the "headers-only" keywords at the end. The limitation again would be the buffer of the ASA for packet capturing.

Feel free to browse the following document, let me know if it works for you

https://supportforums.cisco.com/docs/DOC-17814

PS, I would still go for SPAN on the switch

Mike

Mike
527
Views
0
Helpful
3
Replies
CreatePlease to create content