Posts Tagged With: Cisco ASA

Cisco ASA Packet Capture

Posted on September 8, 2011 by keithcroxford

The Cisco ASA includes a nice feature called “capture”. This feature does exactly as it is named, it captures traffic.  From a managed service provider (MSP) perspective it becomes valuable tool as you can obtain a capture file, without deploying a laptop or capture server to the customer premises. This will provide similar data as a “debug ip packet <acl-name> on a Cisco router.

One caveat is that traffic must traverse through a layer 3 interface. If you want to troubleshoot LAN to LAN connections within the same broadcast domain.. you’re out of luck.

I supposed that it is possible to create a new vlan, assign it to an interface and then build a SPAN session on a switch with the destination pointing to this port. Alas, I haven’t had the opportunity to try it.

Enough digressing..

Assuming that you are running version 8.2 or older (I haven’t touched 8.3 yet) you can start a capture in the following manner.

1. You need to create an access-list. I prefer extended ACLs to limit what I will receive in the capture.  Notice that I am using object groups.

lab-firewall(config)#access-list capture1 extended permit icmp any object-group remote_peer
lab-firewall(config)#access-list capture1 extended permit icmp object-group remote_peer any
lab-firewall(config)#access-list capture1 extended permit ip any object-group remote_peer
lab-firewall(config)#access-list capture1 extended permit ip object-group remote_peer any

2.  Next we will use the “capture” command in the following manner “capture <capture-name> interface <interface-name>  access-list <acl-name>.

lab-firewall(config)# capture CAPTURE1 interface inside access-list capture1

4. You can execute “show capture” to review generic statistics about the capture. This will basically show if we have captured any bytes and regurgitate what you entered above.

lab-firewall# show capture
capture CAPTURE1 type raw-data access-list capture1 interface inside [Capturing - 820 bytes]

5. Executing “show capture <capture-name>” will show you the source, destination and window sizes.

lab-firewall# show capture CAPTURE1
18 packets captured
   1: 19:56:55.064785 802.1Q vlan#101 P0 10.251.8.57 > 192.168.1.33: icmp: echo request
   2: 19:56:58.449393 802.1Q vlan#101 P0 192.168.4.111.2757 > 192.168.1.33.80: R 942165924:942165924(0) ack 3378665272 win 0
   3: 19:56:58.449668 802.1Q vlan#101 P0 192.168.4.111.2756 > 192.168.1.33.80: R 905288765:905288765(0) ack 3370140021 win 0
   4: 19:57:00.062542 802.1Q vlan#101 P0 10.251.8.57 > 192.168.1.33: icmp: echo request
   5: 19:57:05.065609 802.1Q vlan#101 P0 10.251.8.57 > 192.168.1.33: icmp: echo request

18 packets shown

6. Executing “show capture <capture-name> detail will also display the MAC address, ethertype (0x8100 = dot1q) and ttl information.

lab-firewall# show capture CAPTURE1  detail
43 packets captured
   1: 19:56:55.064785 c47d.4f80.e900 0000.0c07.ac01 0x8100 78: 802.1Q vlan#101 P0 10.251.8.57 > 192.168.1.33: icmp: echo request (ttl 128, id 27232)
   2: 19:56:58.449393 c47d.4f80.e900 0000.0c07.ac01 0x8100 58: 802.1Q vlan#101 P0 192.168.4.111.2757 > 192.168.1.33.80: R [tcp sum ok] 942165924:942165924(0) ack 3378665272 win 0 (DF) (ttl 128, id 40509)
   3: 19:56:58.449668 c47d.4f80.e900 0000.0c07.ac01 0x8100 58: 802.1Q vlan#101 P0 192.168.4.111.2756 > 192.168.1.33.80: R [tcp sum ok] 905288765:905288765(0) ack 3370140021 win 0 (DF) (ttl 128, id 40510)
   4: 19:57:00.062542 c47d.4f80.e900 0000.0c07.ac01 0x8100 78: 802.1Q vlan#101 P0 10.251.8.57 > 192.168.1.33: icmp: echo request (ttl 128, id 27235)
   5: 19:57:05.065609 c47d.4f80.e900 0000.0c07.ac01 0x8100 78: 802.1Q vlan#101 P0 10.251.8.57 > 192.168.1.33: icmp: echo request (ttl 128, id 27238)

7. Executing “show capture <capture-name> dump with display raw data in HEX.

lab-firewall# show capture CAPTURE1 dump
81 packets captured
   1: 19:56:55.064785 802.1Q vlan#101 P0 10.251.8.57 > 192.168.1.33: icmp: echo request
0x0000   0065 0800 4500 003c 6a60 0000 8001 e451        .e..E..<j`.....Q
0x0010   0afb 0839 cfba 0921 0800 e36d 0001 69ed        ...9...!...m..i.
0x0020   6162 6364 6566 6768 696a 6b6c 6d6e 6f70        abcdefghijklmnop
0x0030   7172 7374 7576 7761 6263 6465 6667 6869        qrstuvwabcdefghi
   2: 19:56:58.449393 802.1Q vlan#101 P0 192.168.4.111.2757 > 192.168.1.33.80: R 942165924:942165924(0) ack 3378665272 win 0
0x0000   0065 0800 4500 0028 9e3d 4000 8006 638f        .e..E..(.=@...c.
0x0010   cfb8 506f cfba 0921 0ac5 0050 3828 4fa4        ..Po...!...P8(O.
0x0020   c962 5738 5014 0000 0351 0000                  .bW8P....Q..

8. If you want to skip to a certain section of the capture and display only a small number of packets, you can use the count and packet-number options.

lab-firewall# show capture CAPTURE1 count  5 packet-number 23
105 packets captured
  23: 19:57:41.670314 802.1Q vlan#101 P0 192.168.4.111.2760 > 192.168.1.33.80: S 650507319:650507319(0) win 65535 <mss 1380,nop,nop,sackOK>
  24: 19:57:41.732460 802.1Q vlan#101 P0 192.168.1.33.80 > 192.168.4.111.2760: S 3438734250:3438734250(0) ack 650507320 win 5840 <mss 1378,nop,nop,sackOK>
  25: 19:57:41.762808 802.1Q vlan#101 P0 192.168.4.111.2760 > 192.168.1.33.80: . ack 3438734251 win 65535
  26: 19:57:41.771429 802.1Q vlan#101 P0 192.168.4.111.2760 > 192.168.1.33.80: P 650507320:650507954(634) ack 3438734251 win 65535
  27: 19:57:41.837755 802.1Q vlan#101 P0 192.168.1.33.80 > 192.168.4.111.2760: . ack 650507954 win 6974
Categories: ASA | Tags: , , | Leave a comment

SIP ALG – Cisco ASA (Version 7)

Posted on January 27, 2011 by keithcroxford


Most ASAs will have the “inspect sip” statement listed in the default policy-map.   Some service providers will recommend disabling this feature.

1. Log into the ASA through SSH, telnet or the console.

2. Once authenticated, move into “enable mode” by typing “enable”.

================================

ASA> enable
Password:

================================

3. Enter your password.

4. Type “show run policy-map”.  This will display all of the relevant details current policy-maps.

================================

ASA# sh run policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy <——————- “global_policy” is the name of the policy-map used here.
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
ASA#

=========================

5. If you see the “inspect sip” statement the ASA will keep track of the UDP ports used for call control (default of 5060). It will also keep track of the UDP ports used by RTP (audio packets).

6. If your service provider recommends turning this feature on, then make no changes.

7. If the feature needs to be disabled and your policy-map is named “global_policy” you can use the below script.  You MUST be in enable mode to copy and past this.

==================

!

configure terminal

policy-map global_policy
class inspection_default
no inspect sip
exit
exit
exit
write mem

=================


Categories: SIP ALG | Tags: , | 1 Comment

Create a free website or blog at WordPress.com.