ASA Packet Capture

This post is intended to show how to capture packets on an ASA. This is especially helpful when you are trying to determine why something is not being allowed through the FW, you can permit all traffic from a host using an ACL and then capture the traffic and find out what is going on.

• First you need to create the ACL. In this case the host 192.168.168.31 is the target and we are allowing ip to anything.
!
(config)# access-list test permit ip host 192.168.168.31 any

• Next we will define the capture for this host. We make the statement "inside" at the end because this hosts sits on the trusted inside interface.
!
(config)# capture test1 access-list test interface inside

• Now all you do is ask to see what has been captured
!
# show capture test1

• Here is a typical dump:

21 packets captured

1: 11:21:43.783315 802.1Q vlan#1 P0 192.168.168.31 > 192.168.168.221: icmp: echo reply
2: 11:22:13.784322 802.1Q vlan#1 P0 192.168.168.31 > 192.168.168.221: icmp: echo reply
3: 11:22:23.056652 802.1Q vlan#1 P0 192.168.168.31.24894 > 216.239.38.10.53: udp 60
4: 11:22:23.097559 802.1Q vlan#1 P0 192.168.168.31.50934 > 74.125.53.9.53: udp 49
5: 11:22:23.165076 802.1Q vlan#1 P0 192.168.168.31.53 > 192.168.168.221.59255: udp 281
6: 11:22:27.040464 802.1Q vlan#1 P0 192.168.168.31.43688 > 74.125.53.9.53: udp 60
7: 11:22:27.110605 802.1Q vlan#1 P0 192.168.168.31.53 > 192.168.168.221.58190: udp 498
....


• Make sure you clean up your capture when you are done so as not to add to the load of the FW unnecessarily. Here's how to stop things:
!
(config)# no capture test1

And here's how to delete the ACL:

!
(config)# no access-list test permit ip host 192.168.168.31 any

!
# show access-list test
ERROR: access-list does not exist

Have fun with this one.