Skip to main content
  1. Posts/

Snippet: Packet capture using Cisco PIX/ASA

·3 mins
Snippet Security PIX ASA
Table of Contents

If you are having issues with your PIX/ASA firewall (or people believe that there is) there are a couple of checks that you can do just to make sure that the issue isn’t the firewall (as the server guys usually point at the firewall first!)

Packet Tracer #

This handy command was first implemented in version 7.2(1) of the ASA/PIX software and allows you to run a sample packet through the firewall and it will trace it through each step of the firewall process.

Below is a sample of the command and the output from the command:

## This simulates a packet originating from 10.10.10.106 TCP/12345 towards 74.125.230.148 TCP/80
ASA# packet-tracer input inside tcp 10.10.10.106 12345 74.125.230.148 80

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 10.10.10.0 255.255.255.0
  match ip inside 10.10.10.0 255.255.255.0 outside any
    dynamic translation to pool 1 (<em>IP_REMOVED</em> [Interface PAT])
    translate_hits = 250, untranslate_hits = 33
Additional Information:
Dynamic translate 10.10.10.106/12345 to <em>IP_REMOVED</em>/38586 using netmask 255.255.255.255

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 10.10.10.0 255.255.255.0
  match ip inside 10.10.10.0 255.255.255.0 inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 313482, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

I would go into the details on each of the phases above but that may send you to sleep (plus they are pretty self-explanatory) but the basis is that it will show you if the packet is denied anywhere and at which point (and by which ACL etc.) ### Packet Capture

This one does exactly what it says on the tin. You feed it an access-list and it will capture any packets that are matched by that ACL. You can be as precise or as vague as you want with your captures, you can capture just the headers (to save space) or you can capture the full packets, you can also view the results in the CLI or export/download them in PCAP format to feed into Wireshark

The command to initiate the capture is:

ASA# capture capture1 access-list capture headers-only interface outside

This initiates a capture session called capture1 by using ACL capture and it will capture the headers of any matched packets on the outside interface. You have a few options to replay the captured data:

  • show capture capture1 – This will show the packet in brief format in the terminal session you are in
  • https://ip_of_fw/capture/capture1 – If you have https enabled this shows the same as the above
  • https://ip_of_fw/capture/capture1/pcap – This will allow you to download the capture in pcap format
  • copy /pcap capture:capture1 tftp:10.10.10.101/capture.pcap – Copy the capture in pcap format to a remote server

I have only scratched the surface of both of the above commands so if you are interested in more detail then please refer to the relevant Cisco documentation (here and here)