- Published at
Packet Capture on Cisco ASA
Perform packet captures on a Cisco ASA firewall.
Table of Contents
Introduction
I’ve found that people sometimes get nervous running debug commands as well as captures. There are horror stories where you run a debug command and the firewall just locks up. This fear is understandable given the critical nature of firewalls in maintaining network security and uptime. However, with the right knowledge and precautions, these powerful tools can be used safely and effectively. Understanding how to execute these commands properly can help alleviate concerns and ensure that you can troubleshoot issues without compromising system stability.
I have been doing quite a bit of troubleshooting on site-to-site VPN tunnels and have had to get some captures to confirm exactly what is happening.
How to Run the Capture
Below is a sample command you can use to match the traffic that matches the host 1.1.1.1 which in my case is the VPN peer IP address.
capture cap1 interface outside match ip host 1.1.1.1 any
Once the capture is configured you can view the capture by running the following command:
show capture cap1
You should see some information similar to this:
2 packets captured
1: 04:12:10.428093 192.168.10.10.34327 > 10.94.0.51.15868: S
2669456341:2669456341(0) win 4128 <mss 536> Drop-reason: (acl-drop)
Flow is denied by configured rule
2: 04:12:12.427330 192.168.10.10.34327 > 10.94.0.51.15868: S
2669456341:2669456341(0) win 4128 <mss 536> Drop-reason: (acl-drop)
Flow is denied by configured rule
2 packets shown
After you view the capture and don’t need it anymore, you can clear all the captures on the ASA with the following command:
clear capture /all