PBSPlaza.nl

The capture feature in a Cisco ASA is a very useful feature when you want to see exactly what is happening with a particular connection. Today, a customer wants to see the results quickly in a browser or Wireshark. This can be done by simply type the following URL’s in a browser:

To see quickly the capture results in a browser;

https://10.1.1.1/admin/capture/<capture_name>

To download the capture results to a PC in pcap format (you can view pcap with Wireshark);

https://10.1.1.1/capture/<capture_name>/pcap

source: cisco.com

Since IOS 8.2, the Cisco ASA can protect you against Botnets. Here is some relevant information when you want to use the Botnet Traffic Filter in a Cisco ASA firewall with IOS 8.2.

1. A license is needed: ASA55xx-BOT-1YR=
2. You need to configure DNS snooping in the ASA
3. The following syslog ID’s are used with syslog:

338001
338002
338003
338004

5. Reverse access rules need to be configured.

A tutorial can be found here.

Since i configured a lot of site-2-site VPN those days, i created a VPN config snip which i have used as a template. So i you need to configure a site-2-site VPN on a Cisco ASA, you can use this template and customize the fields.

access-list outside_8_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list vpn_filter extended permit ip any any
!
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.10.0 255.255.255.0
!
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
group-policy <policy_name> internal
group-policy <policy_name> attributes
vpn-idle-timeout none
vpn-filter value vpn_filter
vpn-tunnel-protocol IPSec

!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy <policy_name>
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key <pre-shared-key>
!
crypto map outside_map 8 match address outside_8_cryptomap
crypto map outside_map 8 set pfs
crypto map outside_map 8 set peer 1.1.1.1
crypto map outside_map 8 set transform-set ESP-AES-256-SHA
crypto map outside_map 8 set security-association lifetime seconds 3600
crypto map outside_map 8 set nat-t-disable

Recently, I want to sniff a packet stream which was inline with an ASA firewall. Normally I would think on a external sniffer such as ethereal, put it on a mirror port of the firewall port, an sniff the packets. But I found that I can do the same with the capture command in the ASA. Let’s take a quick look how the capture command works and what it is.

In short, these are the steps that I walked through;

1) Create an ACL that will match interesting traffic
2) Define the capture and bind it to an access-list and interface
3) View the capture on the firewall, or copy it off in .pcap format

Here is my situation;

The ACL that you have to make to match traffic, can be made on a interface basis. When you want to use the capture command in a troubleshooting scenario, the best thing you can do is to build a capture for the inside and outside interface, relative to the packet stream. In my situation, I want to sniff a web session of a workstation with IP address 10.1.1.10 to webserver 62.69.184.129. The traffic is PATed to 192.168.10.2 (fictional).

! inside capture ACL
Access-list 100 permit tcp host 10.1.1.10 host 62.69.184.129 eq 80
Access-list 100 permit tcp host 62.69.184.129 eq 80 host 10.1.1.10

! outside capture ACL
Access-list 101 permit tcp host 62.69.184.129 eq 80 host 192.168.10.2
Access-list 101 permit tcp host 192.168.10.2 host 62.69.184.129 eq 80

Now I create the captures for both the inside and outside interface;

capture in access-list 101 interface inside packet-length 1518
capture out access-list 101 interface outside packet-length 1518

Let the client do the session. Then you can copy the results to a tftp server;

copy /pcap capture:out tftp://10.1.1.10/out.pcap
copy /pcap capture:in tftp://10.1.1.10/in.pcap

Finally, you can read the sniffs with wireshark.