I had run a packet capture on an ASA to see if I could find the traffic that was being reported as dropped packets. The IT staff had told me that the application, the one being blocked, was going out on a particular port. However, when I didn't see that traffic coming in on that port, I did another packet capture to the destination IP address. This proved that the traffic was going out on port 25 instead. See the highlighted below. Setup your ACL to match what you are looking for, and apply where you need to.
asa(config)# sh capture capin
18 packets captured
1: 07:56:52.065853 3.3.3.3.44986 > 120.120.120.120.25: S 1199789812:1199789812(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
2: 07:56:52.098246 3.3.3.3.44986 > 120.120.120.120.25: . ack 99226430 win 258
3: 07:56:52.134026 3.3.3.3.44986 > 120.120.120.120.25: P 1199789813:1199789827(14) ack 99226483 win 258
4: 07:56:52.172629 3.3.3.3.44986 > 120.120.120.120.25: P 1199789827:1199789833(6) ack 99226652 win 257
5: 07:56:52.172979 3.3.3.3.44986 > 120.120.120.120.25: F 1199789833:1199789833(0) ack 99226652 win 257
...
18 packets shown
asa(config)#
This is the White Rhino Security blog, an IT technical blog about configs and topics related to the Network and Security Engineer working with Cisco, Brocade, Check Point, and Palo Alto and Sonicwall. I hope this blog serves you well. -- May The Lord bless you and keep you. May He shine His face upon you, and bring you peace.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Your comment will be reviewed for approval. Thank you for submitting your comments.