Monday, November 23, 2009

How to use a Cisco ASA as a sniffer.

Today I learned a cool firewall trick. If you're not technical, you can stop reading right here, just trust me that it's nerdcool.

You can use a Cisco ASA as a sniffer, and it will display the captured traffic in a format you can open in a packet analyzer.

First, create an access list to define the interesting traffic, like IP traffic from 192.168.1.1 to 192.168.2.2, for example:

access-list sniffer permit ip host 192.168.1.1 host 192.168.2.2

Second, start the capture on the interface where the traffic passes:

capture testcap access-list sniffer interface inside

Be sure ASDM is installed, and "http server enable" is in your config, and http and https are allowed in your interface ACL to allow you to access it. If you already use the ASDM you’re already set up. If ASDM is running, you can now browse to the results.

https://securityappliance-ip-address/capture/capture_name

Put /pcap on the end if you want a version of the capture to load into ethereal or packetbuilder or some other packet analyzer.

Use the no syntax to stop the capture:

no capture testcap

Note that hackers could use this feature to PWN your servers or capture sensitive info, so be sure your ASDM interface on your ASA is locked down pretty good. Enjoy.

NOTE: If you want to watch the traffic in real-time (and you have CPU to spare), use this variation:

capture testcap access-list sniffer interface inside real-time