Recently I had to troubleshoot some communication issues via a Cisco ASA device and the packet capture on the IOS comes in handy for this task.

When you have a lot of traffic over ASA and you’re interested in a particular IP address, the basic packet capture lesson says that you should configure an access-list to limit the captured packets for the interesting traffic only.

Let’s assume that I have a particular interest for the traffic to and from the IP address 10.0.0.10.

I created a standard ACL to match only the traffic related to 10.0.0.10:

Afterward I attached the created ACL to a packet capture on a particular interface (let’s call it “lan”).

You can find the above lines in almost any how-to regarding packet capture on Cisco ASA.

Checking the capture I noticed that traffic is unidirectional captured:

This is not enough to troubleshoot complex communication scenarios.

Ok, maybe the standard ACL is not enough, so I tried to use extended one where 10.0.0.10 is source on one line and destination on another:

This should do it…just that it doesn’t.

Hmm, maybe it does not work with two lines in the ACL. I removed one, same error.

I was looking around to find a way to do it, but I couldn’t. This is why I wrote this article. Maybe my googling skills are not so good, as I’m sure it has to be an example somewhere out there.

However, here how I did it.

I gave up using the ACL. No, I’m was not going to capture the entire traffic :) Instead, I used inline restrictions for the IP address that I’m interested in.

The result looks good now:

The packet capture shows now bidirectional traffic flow.

I hope you’ll find this useful during troubleshooting.

Cisco ASA packet capture showing bidirectional traffic flow

Leave a Reply

%d bloggers like this: