Tuesday, November 24, 2015

Cisco ASA: Finding Out What Port Is Being Used For An Application In A Packet Capture

I had run a packet capture on an ASA to see if I could find the traffic that was being reported as dropped packets.  The IT staff had told me that the application, the one being blocked, was going out on a particular port.  However, when I didn't see that traffic coming in on that port, I did another packet capture to the destination IP address.  This proved that the traffic was going out on port 25 instead.  See the highlighted below.  Setup your ACL to match what you are looking for, and apply where you need to.
asa(config)# sh capture capin

18 packets captured

   1: 07:56:52.065853 > S 1199789812:1199789812(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK>
   2: 07:56:52.098246 > . ack 99226430 win 258
   3: 07:56:52.134026 > P 1199789813:1199789827(14) ack 99226483 win 258
   4: 07:56:52.172629 > P 1199789827:1199789833(6) ack 99226652 win 257
   5: 07:56:52.172979 > F 1199789833:1199789833(0) ack 99226652 win 257
18 packets shown

No comments:

Post a Comment

Your comment will be reviewed for approval. Thank you for submitting your comments.