Recently I had to troubleshoot some communication issues via a Cisco ASA device and the packet capture on the IOS comes in handy for this task.
When you have a lot of traffic over ASA and you’re interested in a particular IP address, the basic packet capture lesson says that you should configure an access-list to limit the captured packets for the interesting traffic only.
Let’s assume that I have a particular interest for the traffic to and from the IP address 10.0.0.10.
I created a standard ACL to match only the traffic related to 10.0.0.10:
access-list TS standard permit host 10.0.0.10
Afterward I attached the created ACL to a packet capture on a particular interface (let’s call it “lan”).
capture TSHOOT access-list TS interface lan
You can find the above lines in almost any how-to regarding packet capture on Cisco ASA.
Checking the capture I noticed that traffic is unidirectional captured:
FW# show capture TSHOOT 4 packets captured 1: 20:15:32.757010 802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request 2: 20:15:33.759283 802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request 3: 20:15:34.761374 802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request 4: 20:15:35.823748 802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request
This is not enough to troubleshoot complex communication scenarios.
Ok, maybe the standard ACL is not enough, so I tried to use extended one where 10.0.0.10 is source on one line and destination on another:
access-list TS extended permit ip host 10.0.0.10 any access-list TS extended permit ip any host 10.0.0.10
This should do it…just that it doesn’t.
capture TSHOOT access-list TS interface lan ERROR: Capture doesn't support access-listcontaining mixed policies
Hmm, maybe it does not work with two lines in the ACL. I removed one, same error.
I was looking around to find a way to do it, but I couldn’t. This is why I wrote this article. Maybe my googling skills are not so good, as I’m sure it has to be an example somewhere out there.
However, here how I did it.
I gave up using the ACL. No, I’m was not going to capture the entire traffic :) Instead, I used inline restrictions for the IP address that I’m interested in.
capture TSHOOT interface lan match ip host 10.0.0.10 any
The result looks good now:
FW# show capture TSHOOT 8 packets captured 1: 20:19:07.222553 802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request 2: 20:19:07.223392 802.1Q vlan#10 P0 10.0.0.10 > 192.168.0.10: icmp: echo reply 3: 20:19:08.229953 802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request 4: 20:19:08.230670 802.1Q vlan#10 P0 10.0.0.10 > 192.168.0.10: icmp: echo reply 5: 20:19:09.229327 802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request 6: 20:19:09.230121 802.1Q vlan#10 P0 10.0.0.10 > 192.168.0.10: icmp: echo reply 7: 20:19:10.252321 802.1Q vlan#10 P0 192.168.0.10 > 10.0.0.10: icmp: echo request 8: 20:19:10.253130 802.1Q vlan#10 P0 10.0.0.10 > 192.168.0.10: icmp: echo reply
The packet capture shows now bidirectional traffic flow.
I hope you’ll find this useful during troubleshooting.