Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

Troubleshooting the ASA tip:

Troubleshooting the ASA tip:
If you're like me, you perform MANY different tasks throughout the day.
Many times, I am duplicating the same work at different times throughout the day.
It takes a lot of time to figure out and setup a capture session each time I need to determine what is going through my firewall or getting blocked before it gets to my firewall. Finally I realized the same exact traffic flow capture filters were being configured, used and then deleted.
I now have created permanent ACLs to assist troubleshooting the most common tasks.
I perform a sh run, scroll down to the "cap" acl section, highlight syntax, copy and paste, done.


Line 1 of each acl has the syntax to capture my most common data flows.
Line 2 of each acl has the copy syntax to place the captured raw data onto the Wireshark traffic analyzer/TFTP server.

Hugh time saver!
----
---- Please note: Our firewall is under utilized (running at 2%),
---- Performing a capture on your firewall must be deamed safe by     YOU . . . BEFORE      trying this else you could be looking for another job.
---- Remember to terminate your capture when done - no capture #.

access-list cap-research line 1 REMARK capture 1 access-list cap-research int research real det
access-list cap-research line 2 REMAKR copy /pcap capture:1 tftp
!
access-list cap-research line 3 extended deny ip host 10.99.4.1 host 10.99.4.2
access-list cap-research line 4 extended deny ip host 10.99.4.2 host 10.99.4.1
access-list cap-research line 5 REMARK Ignore firewall-to-firewall keepalives
!
access-list cap-research line 6 extended permit ip any host 10.99.4.5
access-list cap-research line 7 REMARK ingress packets on interface Research
!
access-list cap-research line 8 extended permit ip host 10.99.4.5 any
access-list cap-research line 9 REMARK egress packets on interface Research

!################################# for clarity

access-list cap-eng line 1 REMARK capture 2 access-list cap-eng int eng real det
access-list cap-eng line 2 REMARK copy /pcap capture:2 tftp
!
access-list cap-eng line 3 extended deny ip host 10.91.0.1 host 10.91.0.2
access-list cap-eng line 4 extended deny ip host 10.91.0.2 host 10.91.0.1
access-list cap-eng line 5 REMARK Ignore firewall-to-firewall keepalives
!
access-list cap-eng line 6 extended permit TCP any host 10.91.0.33
access-list cap-eng line 7 REMARK ingress packets on interface ENG
!
access-list cap-eng line 8 extended permit TCP host 10.91.0.33 any
access-list cap-eng line 9 REMARK egress packets on interface ENG

!################################# for clarity

access-list cap-inventory line 1 REMARK capture 3 access-list cap-inventory int inventory real det
access-list cap-inventory line 2 REMARK copy /pcap capture:3 tftp
!
access-list cap-inventory line 3 extended deny ip host 10.3.16.1 host 10.3.16.2
access-list cap-inventory line 4 extended deny ip host 10.3.16.2 host 10.3.16.1
access-list cap-inventory line 5 REMARK Ignore firewall-to-firewall keepalives
!
access-list cap-inventory line 6 extended permit UDP any host 10.3.16.15
access-list cap-inventory line 7 REMARK ingress packets on interface inventory
!
access-list cap-inventory line 8 extended permit UDP host 10.3.16.15 any
access-list cap-inventory line 9 REMARK egress packets on interface inventory

Hope this helps

Frank

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Troubleshooting the ASA tip:

Frank,

That is a great tip!  You are exactly right.  One other item that makes this easier is the command:

show run access-list | inc cap

This will show all access-lists that are configured that include the word 'cap' - if you have alot of access-lists on your ASA, this one will also save some time and frustrations.  The 'show run | inc ' command can be useful for = static, nat, route, interface, etc.

Please mark this thread as "answered" so others can know to reference it in the future!

Thanks again for the great tip!

Kevin

Cisco Employee

Re: Troubleshooting the ASA tip:

Frank,

That is a great tip!  You are exactly right.  One other item that makes this easier is the command:

show run access-list | inc cap

This will show all access-lists that are configured that include the word 'cap' - if you have alot of access-lists on your ASA, this one will also save some time and frustrations.  The 'show run | inc ' command can be useful for = static, nat, route, interface, etc.

Please mark this thread as "answered" so others can know to reference it in the future!

Thanks again for the great tip!

Kevin

2 REPLIES
Cisco Employee

Re: Troubleshooting the ASA tip:

Frank,

That is a great tip!  You are exactly right.  One other item that makes this easier is the command:

show run access-list | inc cap

This will show all access-lists that are configured that include the word 'cap' - if you have alot of access-lists on your ASA, this one will also save some time and frustrations.  The 'show run | inc ' command can be useful for = static, nat, route, interface, etc.

Please mark this thread as "answered" so others can know to reference it in the future!

Thanks again for the great tip!

Kevin

Cisco Employee

Re: Troubleshooting the ASA tip:

Frank,

That is a great tip!  You are exactly right.  One other item that makes this easier is the command:

show run access-list | inc cap

This will show all access-lists that are configured that include the word 'cap' - if you have alot of access-lists on your ASA, this one will also save some time and frustrations.  The 'show run | inc ' command can be useful for = static, nat, route, interface, etc.

Please mark this thread as "answered" so others can know to reference it in the future!

Thanks again for the great tip!

Kevin

316
Views
0
Helpful
2
Replies
CreatePlease login to create content