Cisco ASA: Packet Captures On The Public Internet Side

troubleshoot a FTP problem:

Problem: FTP stopped working

On the ASA,  capture the packets leaving the firewall. This will prove or not weather the packets are leaving your site:

How to:

use an ACL to define the traffic you want to capture, and then apply it to the OUTSIDE interface.

ASA(config)# access-list 194 permit ip host 20.20.20.194 40.40.40.0 255.255.255.0
ASA(config)# capture capin interface outside access-list 194
ASA(config)#

Now that the config is in, lets have my customer test.
First Try, gets to login but nothing after:
ASA# sh capture capin

3 packets captured

1: 10:44:39.319960 20.20.20.194.33201 > 40.40.40.12.21: S 2922611106:2922611106(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
2: 10:44:39.822894 20.20.20.194.33201 > 40.40.40.12.21: S 2086380860:2086380860(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
3: 10:44:40.327940 20.20.20.194.33201 > 40.40.40.12.21: S 2023625103:2023625103(0) win 8192 <mss 1380,nop,nop,sackOK>
3 packets shown
ASA#

we can see the  FTP packets going out.  Next, we try a different FTP program, Filezilla:

Tested filezilla:
ASA# sh capture capin

9 packets captured

1: 10:44:39.319960 20.20.20.194.33201 > 40.40.40.12.21: S 2922611106:2922611106(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
2: 10:44:39.822894 20.20.20.194.33201 > 40.40.40.12.21: S 2086380860:2086380860(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
3: 10:44:40.327940 20.20.20.194.33201 > 40.40.40.12.21: S 2023625103:2023625103(0) win 8192 <mss 1380,nop,nop,sackOK>
—–
4: 10:47:26.243227 20.20.20.194.25433 > 40.40.40.12.21: S 2515756725:2515756725(0) win 64240 <mss 1380,nop,nop,sackOK>
5: 10:47:26.646923 20.20.20.194.25433 > 40.40.40.12.21: S 2417835985:2417835985(0) win 64240 <mss 1380,nop,nop,sackOK>
6: 10:47:27.193913 20.20.20.194.25433 > 40.40.40.12.21: S 1514131771:1514131771(0) win 64240 <mss 1380,nop,nop,sackOK>
7: 10:47:32.196660 20.20.20.194.57968 > 40.40.40.12.21: S 2153025465:2153025465(0) win 64240 <mss 1380,nop,nop,sackOK>
8: 10:47:32.663173 20.20.20.194.57968 > 40.40.40.12.21: S 1936097903:1936097903(0) win 64240 <mss 1380,nop,nop,sackOK>
9: 10:47:33.210636 20.20.20.194.57968 > 40.40.40.12.21: S 1691218731:1691218731(0) win 64240 <mss 1380,nop,nop,sackOK>
—–
9 packets shown
ASA#

now we see more traffic leaving the firewall.  but the FTP still failed.

Tested to the remote endpoint a regular transaction:
ASA# sh capture capin

12 packets FTP captured

1: 10:44:39.319960 20.20.20.194.33201 > 40.40.40.12.21: S 2922611106:2922611106(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
2: 10:44:39.822894 20.20.20.194.33201 > 40.40.40.12.21: S 2086380860:2086380860(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
3: 10:44:40.327940 20.20.20.194.33201 > 40.40.40.12.21: S 2023625103:2023625103(0) win 8192 <mss 1380,nop,nop,sackOK>
4: 10:47:26.243227 20.20.20.194.25433 > 40.40.40.12.21: S 2515756725:2515756725(0) win 64240 <mss 1380,nop,nop,sackOK>
5: 10:47:26.646923 20.20.20.194.25433 > 40.40.40.12.21: S 2417835985:2417835985(0) win 64240 <mss 1380,nop,nop,sackOK>
6: 10:47:27.193913 20.20.20.194.25433 > 40.40.40.12.21: S 1514131771:1514131771(0) win 64240 <mss 1380,nop,nop,sackOK>
7: 10:47:32.196660 20.20.20.194.57968 > 40.40.40.12.21: S 2153025465:2153025465(0) win 64240 <mss 1380,nop,nop,sackOK>
8: 10:47:32.663173 20.20.20.194.57968 > 40.40.40.12.21: S 1936097903:1936097903(0) win 64240 <mss 1380,nop,nop,sackOK>
9: 10:47:33.210636 20.20.20.194.57968 > 40.40.40.12.21: S 1691218731:1691218731(0) win 64240 <mss 1380,nop,nop,sackOK>
—-
10: 10:48:32.160407 20.20.20.194.58543 > 40.40.40.12.21: S 2448264669:2448264669(0) win 65535 <mss 1380,nop,nop,sackOK>
11: 10:48:32.655849 20.20.20.194.58543 > 40.40.40.12.21: S 2167152525:2167152525(0) win 65535 <mss 1380,nop,nop,sackOK>
12: 10:48:33.093439 20.20.20.194.58543 > 40.40.40.12.21: S 3432259079:3432259079(0) win 65535 <mss 1380,nop,nop,sackOK>
—–
12 packets shown
ASA#
(Connection was refused by endpoint)

.  Looks like packets 10-12 isgetting out of the firewall.  After the remote FTP is restarted, below is the traffic leaving the firewall (packets 13-34).

FTP test AFTER FTP service was restarted on remote end:
ASA# sh capture capin

34 packets captured

1: 10:44:39.319960 20.20.20.194.33201 > 40.40.40.12.21: S 2922611106:2922611106(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
2: 10:44:39.822894 20.20.20.194.33201 > 40.40.40.12.21: S 2086380860:2086380860(0) win 8192 <mss 1380,nop,wscale 0,nop,nop,sackOK>
3: 10:44:40.327940 20.20.20.194.33201 > 40.40.40.12.21: S 2023625103:2023625103(0) win 8192 <mss 1380,nop,nop,sackOK>
4: 10:47:26.243227 20.20.20.194.25433 > 40.40.40.12.21: S 2515756725:2515756725(0) win 64240 <mss 1380,nop,nop,sackOK>
5: 10:47:26.646923 20.20.20.194.25433 > 40.40.40.12.21: S 2417835985:2417835985(0) win 64240 <mss 1380,nop,nop,sackOK>
6: 10:47:27.193913 20.20.20.194.25433 > 40.40.40.12.21: S 1514131771:1514131771(0) win 64240 <mss 1380,nop,nop,sackOK>
7: 10:47:32.196660 20.20.20.194.57968 > 40.40.40.12.21: S 2153025465:2153025465(0) win 64240 <mss 1380,nop,nop,sackOK>
8: 10:47:32.663173 20.20.20.194.57968 > 40.40.40.12.21: S 1936097903:1936097903(0) win 64240 <mss 1380,nop,nop,sackOK>
9: 10:47:33.210636 20.20.20.194.57968 > 40.40.40.12.21: S 1691218731:1691218731(0) win 64240 <mss 1380,nop,nop,sackOK>
10: 10:48:32.160407 20.20.20.194.58543 > 40.40.40.12.21: S 2448264669:2448264669(0) win 65535 <mss 1380,nop,nop,sackOK>
11: 10:48:32.655849 20.20.20.194.58543 > 40.40.40.12.21: S 2167152525:2167152525(0) win 65535 <mss 1380,nop,nop,sackOK>
12: 10:48:33.093439 20.20.20.194.58543 > 40.40.40.12.21: S 3432259079:3432259079(0) win 65535 <mss 1380,nop,nop,sackOK>
——

13: 10:56:12.340070 20.20.20.194.17009 > 40.40.40.12.21: S 3548665372:3548665372(0) win 65535 <mss 1380,nop,nop,sackOK>
14: 10:56:12.346341 20.20.20.194.17009 > 40.40.40.12.21: . ack 723165591 win 65535
15: 10:56:12.355633 20.20.20.194.17009 > 40.40.40.12.21: P 3548665373:3548665389(16) ack 723165636 win 65490
16: 10:56:12.401361 20.20.20.194.17009 > 40.40.40.12.21: P 3548665389:3548665408(19) ack 723165656 win 65470
17: 10:56:12.601195 20.20.20.194.17009 > 40.40.40.12.21: . ack 723165712 win 65414
18: 10:56:12.601455 20.20.20.194.17009 > 40.40.40.12.21: P 3548665408:3548665414(6) ack 723165732 win 65394
19: 10:56:12.607970 20.20.20.194.17009 > 40.40.40.12.21: P 3548665414:3548665419(5) ack 723165742 win 65384
20: 10:56:12.617598 20.20.20.194.17009 > 40.40.40.12.21: P 3548665419:3548665447(28) ack 723165787 win 65339
21: 10:56:12.637708 20.20.20.194.17009 > 40.40.40.12.21: P 3548665447:3548665453(6) ack 723165813 win 65313
22: 10:56:12.681651 20.20.20.194.53132 > 40.40.40.12.20: S 3213895457:3213895457(0) ack 2441606499 win 16384 <mss 1380,nop,wscale 0,nop,nop,sackOK>
23: 10:56:12.745139 20.20.20.194.17009 > 40.40.40.12.21: . ack 723165865 win 65261
24: 10:56:12.745170 20.20.20.194.53132 > 40.40.40.12.20: . ack 2441606803 win 65232
25: 10:56:12.745170 20.20.20.194.53132 > 40.40.40.12.20: F 3213895458:3213895458(0) ack 2441606803 win 65232
26: 10:56:12.789769 20.20.20.194.17009 > 40.40.40.12.21: P 3548665453:3548665481(28) ack 723165865 win 65261
27: 10:56:12.796376 20.20.20.194.17009 > 40.40.40.12.21: P 3548665481:3548665487(6) ack 723165891 win 65235
28: 10:56:12.802860 20.20.20.194.41603 > 40.40.40.12.20: S 3126237913:3126237913(0) ack 666517918 win 16384 <mss 1380,nop,wscale 0,nop,nop,sackOK>
29: 10:56:12.824099 20.20.20.194.41603 > 40.40.40.12.20: . ack 666518222 win 65232
30: 10:56:12.824130 20.20.20.194.41603 > 40.40.40.12.20: F 3126237914:3126237914(0) ack 666518222 win 65232
31: 10:56:12.824145 20.20.20.194.17009 > 40.40.40.12.21: . ack 723165943 win 65183
32: 10:56:12.831866 20.20.20.194.17009 > 40.40.40.12.21: P 3548665487:3548665493(6) ack 723165943 win 65183
33: 10:56:12.838594 20.20.20.194.17009 > 40.40.40.12.21: . ack 723165953 win 65174
34: 10:56:12.838625 20.20.20.194.17009 > 40.40.40.12.21: F 3548665493:3548665493(0) ack 723165953 win 65174
——–
34 packets shown
ASA#

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.