Snippet: Packet capture using Cisco PIX/ASA

If you are having issues with your PIX/ASA firewall (or people believe that there is) there are a couple of checks that you can do just to make sure that the issue isn’t the firewall (as the server guys usually point at the firewall first!)

Packet Tracer

This handy command was first implemented in version 7.2(1) of the ASA/PIX software and allows you to run a sample packet through the firewall and it will trace it through each step of the firewall process.

Below is a sample of the command and the output from the command:

## This simulates a packet originating from 10.10.10.106 TCP/12345 towards 74.125.230.148 TCP/80
ASA# packet-tracer input inside tcp 10.10.10.106 12345 74.125.230.148 80
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside

Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information:

Phase: 4 Type: NAT Subtype: Result: ALLOW Config: nat (inside) 1 10.10.10.0 255.255.255.0 match ip inside 10.10.10.0 255.255.255.0 outside any dynamic translation to pool 1 (IP_REMOVED [Interface PAT]) translate_hits = 250, untranslate_hits = 33 Additional Information: Dynamic translate 10.10.10.106/12345 to IP_REMOVED/38586 using netmask 255.255.255.255

Phase: 5 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (inside) 1 10.10.10.0 255.255.255.0 match ip inside 10.10.10.0 255.255.255.0 inside any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 Additional Information:

Phase: 6 Type: HOST-LIMIT Subtype: Result: ALLOW Config: Additional Information:

Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information:

Phase: 8 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 313482, packet dispatched to next module

Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow

I would go into the details on each of the phases above but that may send you to sleep (plus they are pretty self-explanatory) but the basis is that it will show you if the packet is denied anywhere and at which point (and by which ACL etc.)

Packet Capture

This one does exactly what it says on the tin. You feed it an access-list and it will capture any packets that are matched by that ACL. You can be as precise or as vague as you want with your captures, you can capture just the headers (to save space) or you can capture the full packets, you can also view the results in the CLI or export/download them in PCAP format to feed into Wireshark

The command to initiate the capture is:

ASA# capture capture1 access-list capture headers-only interface outside
This initiates a capture session called capture1 by using ACL capture and it will capture the headers of any matched packets on the outside interface.

You have a few options to replay the captured data:

  • show capture capture1 – This will show the packet in brief format in the terminal session you are in
  • https://ip_of_fw/capture/capture1 – If you have https enabled this shows the same as the above
  • https://ip_of_fw/capture/capture1/pcap – This will allow you to download the capture in pcap format
  • copy /pcap capture:capture1 tftp:10.10.10.101/capture.pcap – Copy the capture in pcap format to a remote server

I have only scratched the surface of both of the above commands so if you are interested in more detail then please refer to the relevant Cisco documentation (here and here)

Leave a Reply

Your email address will not be published.