Debug Packet

As mentioned previously, the debug packet command is only available on PIX Firewalls, having been introduced as early as the 5.x generation of code. While "debug packet" is no longer supported beginning in version 7.0 of either the PIX or ASA code, we will later examine the use of the newer "real-time" option to the capture command as an alternative.

Capture - Part I - Output to Terminal

The capture command first became available in PIX OS 6.2; however, the real-time option only recently became available in release 8.0. In this next section we will examine the flexibility in how this valuable troubleshooting command can be used. Again, for all the alternative implementations examined here, the same scenario with the Outside-PC at 150.150.1.20 connecting to the DMZ-Server at 172.16.1.15 (http://200.200.1.15) will be used.

Capture - Part II - Output to HTML File

Assuming the same access-list as shown above, if the real-time option is omitted the same text display as shown on the previous page can be derived by

show capture WWW-TEST-DMZ

A more readable format can be derived by securely viewing the capture buffer using a browser; however, before this can be done, the following commands must be entered into the PIX or ASA security appliance: (using the Admin-PC in our Lab Topology as an example)

http server enable
http 10.10.10.10 255.255.255.255 inside

To view the capture file in buffer memory, execute the following.

https://10.10.10.1/capture/WWW-TEST-DMZ

Capture - Part III - Output to a Windows Pcap File

If even more granular examination of the packets contained in the capture file is needed, the buffered capture file can be copied to a TFTP Server for later viewing using the following:

copy /pcap capture:WWW-TEST-DMZ tftp://10.10.10.10/WWW.cap

After confirming your selections in the TFTP CLI dialog, the resulting file can be viewed with the default protocol analyzer ("sniffer") application associated with the .cap suffix. In this case, Wireshark® was used to generate the following display.

Capture - Part IV - Using the Packet Capture Wizard in ASDM

In this last sub-section on the capture command, we will examine how the Adaptive Security Device Manager (ASDM) for the ASA and PIX can be used to not only analyze packets in and out of a particular interface (as we have done previously), but also look at the overall flow through the security appliance as a whole. In the series of screens below, the same http packet stream is analyzed, except that the "outside" interface is a logical one with the name outside_lab and it is part of an 802.1q trunk. Note that in step 3 we need to specify the translated address (200.200.1.15) of the DMZ-Server.

Packet-tracer

The packet-tracer command was first introduced into ASA and PIX OS 7.2 and can be executed both from the command-line and from within ASDM. The big advantage of this powerful and relatively new tool is that most simple, unencrypted (non-VPN) flows can be simulated without having to physically access either of the two connection endpoints. We will show in this final section of this whitepaper several uses of packet-tracer. First, for consistency, we will show the simulated flow of the Outside-PC connecting to the DMZ-Server with http. Later, we will show more complex translation scenarios for both inbound and outbound access.

Related Courses

IINS - Implementing Cisco IOS Network Security
SNRS - Securing Networks with Cisco Routers & Switches v3.0
SNAF - Securing Networks with ASA Fundamentals
SNAA - Securing Networks with ASA Advanced
MARS - Cisco Security Monitoring, Analysis, and Response System v3.0
CANAC - Implementing NAC Appliance (formerly Cisco Clean Access)

Related White Papers

Understanding the Basic Configuration of the Adaptive Security Appliance (ASA)

Related Videos

Top Three Cisco Security Technologies