欢迎关注:1,欢迎关注本博客,你可点击右手边的【QQ邮件订阅】订阅本博客!2,本博客推出江湖救急计划,主要为工作中遇到疑难杂症的兄弟提供远程技术支持和分析,如有需要,请在江湖救急计划页面给我留言!

思科ASA防火墙下抓包方法

作者:易隐者 发布于:2012-2-26 17:43 Sunday 分类:参考资料

ASA防火墙抓包示例

capture asa_capture_inside_1 type raw-data access-list tac_capture buffer 10000000 interface inside
capture asa_capture_outside_1 type raw-data access-list tac_capture buffer 10000000 interface outside
no capture asa_capture_inside_1
no capture asa_capture_outside_1
clear capture asa_capture_inside_1
clear capture asa_capture_outside_1
copy /pcap capture:asa_capture_inside_1 tftp://172.16.1.200/asa_inside_capture.cap
copy /pcap capture:asa_capture_outside_1 tftp://172.16.1.200/asa_outside_capture.cap


access-list test permit ip host ip (inside) host ip(outside)
access-list test permit ip host ip (outside) host ip (inside)
capture inside access-list test buffer 10000000 interface inside interface outside
capture outside access-list test buffer 10000000 interface outside interface inside

其他示例

1 ,cisco防火墙troubleshooting之capture packet
首先定义需要抓报的类型,使用acl:
access-list capture permit icmp any any
capture test access-list capture interface outside
这样当有icmp包经过outside接口时,就会被抓取下来

copy /pcap capture: test tftp:

Source capture name [test]?  

Address or name of remote host []? 10.10.166.27

Destination filename [test]? test1

这样就会把原始包抓取下来,然后扩展名改为dmp
show capture test
或者通过:https://10.10.166.138/capture/captest/pcap直接可以查看
通过这个地址:https://10.10.166.138/capture/http/pcap来下载

no capture test
删除capture test缓存

       在抓取包的时候,如果是TCP,UDP数据包(基于状态)的时候,只有初始数据包处理,后续包直接进入加速处理器,不会被抓到。
       例如从一个接口1进入,从2口出来,然后返回数据包从2口进入,从1口出来。这个时候数据包只有1口进的时候才被抓取。而当专区icmp(没有状态)的时候,不管是进还是出都会被抓到,就是说,在1,2口的进出口都会被抓到。

2,思科防火墙与oracle兼容性有问题的抓包过程

配置要抓包的数据流
access-list tac_capture permit ip host 59.42.158.1 host 172.16.99.1
access-list tac_capture permit ip host 172.16.99.1 host 59.42.158.1
capture pix_dmz_capture_1 access-list tac_capture buffer 10000000 interface dmz
capture pix_inside_capture_1 access-list tac_capture buffer 10000000 interface inside
capture tac_dmz_capture intreface dmz
capture tac_inside_capture interface inside
            
 显示一些配置
show clock
show conn local 172.16.99.1
show conn foreign 59.42.158.18
show local-host 172.16.99.1
show local-host 59.42.158.1
show xlate local 172.16.99.1
show xlate global 59.42.158.1
show capture
拷贝capture 到tftp服务器上。
copy capture:pix_dmz_capture_1 tftp://172.16.1.200/pix_dmz_capture.cap pcap
copy capture:pix_inside_capture_1 tftp://172.16.1.200/pix_inside_capture.cap pcap
取消capture
clear capture tac_capture
no capture pix_dmz_capture_1
no capture pix_inside_capture_1
配置要抓包的数据流
access-list tac_capture permit ip host 59.42.158.1 host172.16.99.1
access-list   tac_capture permit ip host 172.16.99.1 host 59.42.158.1
capture asa_capture_inside_1 type raw-data access-list tac_capture buffer 10000000 interface inside
capture asa_capture_outside_1 type raw-data access-list tac_capture buffer 10000000 interface outside
capture tac_capture_inside access-list tac_capture interface inside
capture tac_capture_outside access-list tac_capture interface outside
c)
show clock
show conn address 172.16.99.1
show conn address 59.42.158.1
show local-host 172.16.99.1
show local-host 59.42.158.1
show asp drop
show xlate
show capture
d)拷贝capture到tftp服务器上
copy /pcap capture:asa_capture_inside_1 tftp://172.16.1.201/asa_inside_capture.cap
copy /pcap capture:asa_capture_outside_1 tftp://172.16.1.201/asa_outside_capture.cap
e)取消capture
no capture asa_capture_inside_1
no capture asa_capture_outside_1
clear capture asa_capture_inside_1
clear capture asa_capture_outside_1

阅读全文>>

标签: 防火墙 ACL 抓包 思科 ASA

评论(0) 引用(0) 浏览(50442)

Powered by 易隐者 基于emlog 皖ICP备12002343号-1