Cisco ASA packet capture showing bidirectional traffic flow

Recently I had to troubleshoot some communication issues via a Cisco ASA device and the packet capture on the IOS comes in handy for this task.

When you have a lot of traffic over ASA and you’re interested in a particular IP address, the basic packet capture lesson says that you should configure an access-list to limit the captured packets for the interesting traffic only.

Let’s assume that I have a particular interest for the traffic to and from the IP address 10.0.0.10.

I created a standard ACL to match only the traffic related to 10.0.0.10:

access-list TS standard permit host 10.0.0.10

Afterward I attached the created ACL to a packet capture on a particular interface (let’s call it “lan”).

capture TSHOOT access-list TS interface lan

You can find the above lines in almost any how-to regarding packet capture on Cisco ASA.

Checking the capture I noticed that traffic is unidirectional captured:

FW# show capture TSHOOT

4 packets captured

   1: 20:15:32.757010       802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request
   2: 20:15:33.759283       802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request
   3: 20:15:34.761374       802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request
   4: 20:15:35.823748       802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request

This is not enough to troubleshoot complex communication scenarios.

Ok, maybe the standard ACL is not enough, so I tried to use extended one where 10.0.0.10 is source on one line and destination on another:

access-list TS extended permit ip host 10.0.0.10 any
access-list TS extended permit ip any host 10.0.0.10

This should do it…just that it doesn’t.

capture TSHOOT access-list TS interface lan

ERROR: Capture doesn't support access-list  containing mixed policies

Hmm, maybe it does not work with two lines in the ACL. I removed one, same error.

I was looking around to find a way to do it, but I couldn’t. This is why I wrote this article. Maybe my googling skills are not so good, as I’m sure it has to be an example somewhere out there.

However, here how I did it.

I gave up using the ACL. No, I’m was not going to capture the entire traffic :) Instead, I used inline restrictions for the IP address that I’m interested in.

capture TSHOOT interface lan match ip host 10.0.0.10 any

The result looks good now:

FW# show capture TSHOOT

8 packets captured

   1: 20:19:07.222553       802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request
   2: 20:19:07.223392       802.1Q vlan#10 P0 10.0.0.10 > 192.168.0.10: icmp: echo reply
   3: 20:19:08.229953       802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request
   4: 20:19:08.230670       802.1Q vlan#10 P0 10.0.0.10 > 192.168.0.10: icmp: echo reply
   5: 20:19:09.229327       802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request
   6: 20:19:09.230121       802.1Q vlan#10 P0 10.0.0.10 > 192.168.0.10: icmp: echo reply
   7: 20:19:10.252321       802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request
   8: 20:19:10.253130       802.1Q vlan#10 P0 10.0.0.10 > 192.168.0.10: icmp: echo reply

The packet capture shows now bidirectional traffic flow.

I hope you’ll find this useful during troubleshooting.

Converting from old to new with the PIX to ASA Migration Tool

Digging through Internet I’ve found a very good article from David Davis explaining how to make your life easier when migrating from PIX to ASA.

The important thing to note about PIX and ASA configurations are that they are different. In other words, to do one thing on a PIX requires a different command on an ASA. The ASA uses a more “IOS-like” configuration where the PIX has its own “PIX-OS” configuration. Here are just some of the differences between the two:

  • The ASA is different hardware and has different interface names.
  • The ASA uses sub-interface commands, like the Cisco IOS.
  • A PIX will use FIXUP commands for application inspection whereas the ASA will use policy maps.
  • On the PIX,outbound and conduit commands are used versus access lists on the ASA.

There are two ways to perform this conversion — manually or by using the automatic migration tool. You may want to perform the conversion manually if you want more granular control, but Cisco offers a PIX to ASA Migration Tool that can perform this automatically. Let’s look at how it works.

Read the full article at: Converting from old to new with the PIX to ASA Migration Tool