Troubleshooting en packet captures op een Cisco ASA

Een handige feature op Cisco ASA’s is de mogelijkheid om op de firewall .pcap packet captures te maken en deze dan later in te lezen met Wireshark.

Om verkeer van een bepaald interface te capturen voer je de volgende regel uit:

aazoo-testasa(config)# capture maandag-capture interface outside

Wil je specifiek verkeer capturen doe je het volgende:

aazoo-testasa(config)# access-list test-packetcapture permit ip 10.15.1.0 255.255.255.0 host 10.19.1.1
aazoo-testasa(config)# capture dinsdag-capture access-list test-packetcapture

De capture kun je vervolgens op twee manieren ophalen, via de console:

aazoo-testasa# show capture maandag-capture

514 packets captured

1: 08:58:01.354672 arp who-has 10.19.1.1 tell 10.32.15.11
2: 08:58:01.356518 arp who-has 10.19.1.1 tell 10.32.15.11
3: 08:58:01.554628 arp who-has 10.19.1.1 tell 10.32.15.12
4: 08:58:01.556474 arp who-has 10.19.1.1 tell 10.32.15.11
5: 08:58:01.754584 arp who-has 10.19.1.1 tell 10.32.15.12
6: 08:58:01.756445 arp who-has 10.19.1.1 tell 10.32.15.11
7: 08:58:01.954555 arp who-has 10.19.1.1 tell 10.32.15.12
8: 08:58:01.956401 arp who-has 10.19.1.1 tell 10.32.15.11
9: 08:58:02.154563 arp who-has 10.19.1.1 tell 10.32.15.12
10: 08:58:02.156425 arp who-has 10.19.1.1 tell 10.32.15.11
11: 08:58:02.354519 arp who-has 10.19.1.1 tell 10.32.15.12
12: 08:58:02.356381 arp who-has 10.19.1.1 tell 10.32.15.11

Of via de webinterface, je krijgt dan een .pcap file die je kunt importeren in het zwitserse zakmes Wireshark. Ga hiervoor naar de URL https:///capture/

https://aazoo-testasa.aazoo.nl/capture/dinsdag-capture/pcap

Een andere handige troubleshooting tool voor Cisco ASA’s is de packet-tracer.
Deze roep je aan op de console van een ASA met het commando: packet-tracer input

Voorbeeld:
aazoo-testasa# packet-tracer input inside tcp 10.19.1.1 32322 217.115.199.40 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.19.1.0 255.255.255.0 inside

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 access-list vpn-access-list
nat-control
match ip inside 10.19.1.1 255.255.255.0 bastion host 1.1.1.1
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 8
Type: NAT
Subtype:
Result: DROP
Config:
nat (inside) 0 0.0.0.0 0.0.0.0
nat-control
match ip inside any outside any
no translation group, implicit deny
policy_hits = 1
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Wilt u meer informatie? Neem dan contact met ons op!