思科ASA防火墙下抓包方法

2012-02-26 · 网络分析 · 参考资料 · 51953 次阅读

ASA防火墙抓包示例

capture asa_capture_inside_1 type raw-data access-list tac_capture buffer 10000000 interface inside
capture asa_capture_outside_1 type raw-data access-list tac_capture buffer 10000000 interface outside
no capture asa_capture_inside_1
no capture asa_capture_outside_1
clear capture asa_capture_inside_1
clear capture asa_capture_outside_1
copy /pcap capture:asa_capture_inside_1 tftp://172.16.1.200/asa_inside_capture.cap
copy /pcap capture:asa_capture_outside_1 tftp://172.16.1.200/asa_outside_capture.cap

access-list test permit ip host ip (inside) host ip（outside)
access-list test permit ip host ip (outside) host ip (inside)
capture inside access-list test buffer 10000000 interface inside interface outside
capture outside access-list test buffer 10000000 interface outside interface inside

其他示例

1 ，cisco防火墙troubleshooting之capture packet
首先定义需要抓报的类型，使用acl：
access-list capture permit icmp any any
capture test access-list capture interface outside
这样当有icmp包经过outside接口时，就会被抓取下来

copy /pcap capture: test tftp:

Source capture name [test]?

Address or name of remote host []? 10.10.166.27

Destination filename [test]? test1

这样就会把原始包抓取下来，然后扩展名改为dmp
show capture test
或者通过：https://10.10.166.138/capture/captest/pcap直接可以查看
通过这个地址：https://10.10.166.138/capture/http/pcap来下载

no capture test
删除capture test缓存

在抓取包的时候，如果是TCP，UDP数据包（基于状态）的时候，只有初始数据包处理，后续包直接进入加速处理器，不会被抓到。
例如从一个接口1进入，从2口出来，然后返回数据包从2口进入，从1口出来。这个时候数据包只有1口进的时候才被抓取。而当专区icmp（没有状态）的时候，不管是进还是出都会被抓到，就是说，在1，2口的进出口都会被抓到。

2，思科防火墙与oracle兼容性有问题的抓包过程

配置要抓包的数据流
access-list tac_capture permit ip host 59.42.158.1 host 172.16.99.1
access-list tac_capture permit ip host 172.16.99.1 host 59.42.158.1
capture pix_dmz_capture_1 access-list tac_capture buffer 10000000 interface dmz
capture pix_inside_capture_1 access-list tac_capture buffer 10000000 interface inside
capture tac_dmz_capture intreface dmz
capture tac_inside_capture interface inside

显示一些配置
show clock
show conn local 172.16.99.1
show conn foreign 59.42.158.18
show local-host 172.16.99.1
show local-host 59.42.158.1
show xlate local 172.16.99.1
show xlate global 59.42.158.1
show capture
拷贝capture 到tftp服务器上。
copy capture:pix_dmz_capture_1 tftp://172.16.1.200/pix_dmz_capture.cap pcap
copy capture:pix_inside_capture_1 tftp://172.16.1.200/pix_inside_capture.cap pcap
取消capture
clear capture tac_capture
no capture pix_dmz_capture_1
no capture pix_inside_capture_1
配置要抓包的数据流
access-list tac_capture permit ip host 59.42.158.1 host172.16.99.1
access-list tac_capture permit ip host 172.16.99.1 host 59.42.158.1
capture asa_capture_inside_1 type raw-data access-list tac_capture buffer 10000000 interface inside
capture asa_capture_outside_1 type raw-data access-list tac_capture buffer 10000000 interface outside
capture tac_capture_inside access-list tac_capture interface inside
capture tac_capture_outside access-list tac_capture interface outside
c)
show clock
show conn address 172.16.99.1
show conn address 59.42.158.1
show local-host 172.16.99.1
show local-host 59.42.158.1
show asp drop
show xlate
show capture
d)拷贝capture到tftp服务器上
copy /pcap capture:asa_capture_inside_1 tftp://172.16.1.201/asa_inside_capture.cap
copy /pcap capture:asa_capture_outside_1 tftp://172.16.1.201/asa_outside_capture.cap
e)取消capture
no capture asa_capture_inside_1
no capture asa_capture_outside_1
clear capture asa_capture_inside_1
clear capture asa_capture_outside_1