Cisco Cisco ASA for Nexus 1000V Series Switch 기술 매뉴얼
ASA# capture capin interface inside match tcp host 172.16.11.5 host 198.51.100.100
ASA# capture capout interface outside match tcp any host 198.51.100.100ASA#show capture capin
3 packets captured
1: 11:31:23.432655 172.16.11.5.58799 > 198.51.100.100.80: S 780523448:
780523448(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
2: 11:31:23.712518 198.51.100.100.80 > 172.16.11.5.58799: S 2123396067:
2123396067(0) ack 780523449 win 8192 <mss 1024,nop,nop,sackOK,nop,wscale 8>
3: 11:31:23.712884 172.16.11.5.58799 > 198.51.100.100.80: . ack 2123396068
win 32768ASA#show capture capout
3 packets captured
1: 11:31:23.432869 203.0.113.2.58799 > 198.51.100.100.80: S 1633080465:
1633080465(0) win 8192 <mss 1380,nop,wscale 2,nop,nop,sackOK>
2: 11:31:23.712472 198.51.100.100.80 > 203.0.113.2.58799: S 95714629:
95714629(0) ack 1633080466 win 8192 <mss 1024,nop,nop,sackOK,nop,wscale 8>
3: 11:31:23.712914 203.0.113.2.58799 > 198.51.100.100.80: . ack 95714630
win 32768/pre>
The ASA firewall can capture traffic that enters or leaves its interfaces. This capture functionality is
fantastic because it can definitively prove if traffic arrives at, or leaves from, a firewall. The
previous example showed the configuration of two captures named capin and capout on the inside
and outside interfaces respectively. The capture commands used the match keyword, which
allows you to be specific about what traffic you want to capture.
fantastic because it can definitively prove if traffic arrives at, or leaves from, a firewall. The
previous example showed the configuration of two captures named capin and capout on the inside
and outside interfaces respectively. The capture commands used the match keyword, which
allows you to be specific about what traffic you want to capture.
For the capture capin, you indicated that you wanted to match traffic seen on the inside interface
(ingress or egress) that matches TCP host 172.16.11.5 host 198.51.100.100. In other words, you
want to capture any TCP traffic that is sent from host 172.16.11.5 to host 198.51.100.100 or vice
versa. The use of the match keyword allows the firewall to capture that traffic bidirectionally. The
capture command defined for the outside interface does not reference the internal client IP
address because the firewall conducts PAT on that client IP address. As a result, you cannot
match with that client IP address. Instead, this example uses any in order to indicate that all
possible IP addresses would match that condition.
(ingress or egress) that matches TCP host 172.16.11.5 host 198.51.100.100. In other words, you
want to capture any TCP traffic that is sent from host 172.16.11.5 to host 198.51.100.100 or vice
versa. The use of the match keyword allows the firewall to capture that traffic bidirectionally. The
capture command defined for the outside interface does not reference the internal client IP
address because the firewall conducts PAT on that client IP address. As a result, you cannot
match with that client IP address. Instead, this example uses any in order to indicate that all
possible IP addresses would match that condition.
After you configure the captures, you would then attempt to establish a connection again, and
proceed to view the captures with the show capture <capture_name> command. In this
example, you can see that the client was able to connect to the server as evident by the TCP 3-
Way handshake seen in the captures.
proceed to view the captures with the show capture <capture_name> command. In this
example, you can see that the client was able to connect to the server as evident by the TCP 3-
Way handshake seen in the captures.
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
●
ASA Packet Captures with CLI and ASDM Configuration Example
●
●