Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 6.3 - capture command

Reply
Thread Tools

PIX 6.3 - capture command

 
 
Amaury Ronflard
Guest
Posts: n/a
 
      08-14-2005
Hello group members,

I have two PIX

PIX-A: 195.238.10.19
PIX-B: 212.217.89.23

Behing, Private LAN

PIX-A: 192.168.10.0/25
PIX-B: 192.168.20.0/25

I need a VPN between those, so, I've defined a no-nat access-list

access-list no-nat-pix-a permit ip 192.168.10.0 255.255.255.128
192.168.20.0 255.255.255.128
access-list no-nat-pix-a permit ip 192.168.20.0 255.255.255.128
192.168.10.0 255.255.255.128

and, an access-list to bound to what to encrypt to get to pix-b

access-list to-pix-b permit tcp 192.168.10.0 255.255.255.128
192.168.20.0 255.255.255.128 eq 5222
access-list to-pix-b permit tcp 192.168.20.0 255.255.255.128
192.168.10.0 255.255.255.128
access-list to-pix-b permit icmp 192.168.10.0 255.255.255.128
192.168.20.0 255.255.255.128 eq 5222
access-list to-pix-b permit icmp 192.168.20.0 255.255.255.128
192.168.10.0 255.255.255.128

It works ok,

I use the "capture" command to check if the VPN is going ok. Like

pix-a#(config)capture snoopy interface inside buffer 10000 circular

using PDM, I redirect the flow to my browser.

I my web browser using this capture command, I need to filter only what
is going between the host 192.168.10.10 and remote host 192.168.20.15

How do I achieve it? It looks I need to create a third access-list and
apply it against the capture command.

I've tried, I can't get it.

Can anybody light it?

Thank you very much,

Amaury
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      08-14-2005
In article <ddnicb$74v$(E-Mail Removed)>,
Amaury Ronflard <(E-Mail Removed)> wrote:
:I have two PIX

>and, an access-list to bound to what to encrypt to get to pix-b


>access-list to-pix-b permit tcp 192.168.10.0 255.255.255.128 192.168.20.0 255.255.255.128 eq 5222
>access-list to-pix-b permit tcp 192.168.20.0 255.255.255.128 192.168.10.0 255.255.255.128
>access-list to-pix-b permit icmp 192.168.10.0 255.255.255.128 192.168.20.0 255.255.255.128 eq 5222
>access-list to-pix-b permit icmp 192.168.20.0 255.255.255.128 192.168.10.0 255.255.255.128


The third and fourth lines duplicate the first and second.

You should only write the ACL in one direction, as if the data is
going out of the local machine towards the remote machine. The
ACL will automatically be matched in reverse for the remote traffic.

If you were to reverse the second line, the result would be a superset
of the first, leaving the first unnecessary. I suspect you are trying
to account for dynamic source ports and that the second line is
actually a to-pix-a entry. If so then if you are going to include a
specific port number in that first to-pix-b line, then you should
exactly mirror it on b,

access-list to-pix-a permit tcp 192.168.20.0 255.255.255.128 eq 5222 192.168.10.0 255.255.255.128

Using a specific port number on an crypto map ACL will get you a warning
about loss of efficiency. Earlier PIX versions prohibitted using
port numbers entirely.


:I use the "capture" command to check if the VPN is going ok. Like

:I need to filter only what
:is going between the host 192.168.10.10 and remote host 192.168.20.15

:How do I achieve it? It looks I need to create a third access-list and
:apply it against the capture command.

Right.

I have evidence that the capture ACL is -not- automatically read
in reverse, so try

access-list capture10_15_acl permit host 192.168.10.10 host 192.168.20.15
access-list capture10_15_acl permit host 192.168.20.15 host 192.168.10.10
capture c10_15 access-list capture_10_15_acl
--
"I will speculate that [...] applications [...] could actually see a
performance boost for most users by going dual-core [...] because it
is running the adware and spyware that [...] are otherwise slowing
down the single CPU that user has today" -- Herb Sutter
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      08-14-2005
In article <ddnu07$l8n$(E-Mail Removed)>,
Walter Roberson <(E-Mail Removed)-cnrc.gc.ca> wrote:
:capture c10_15 access-list capture_10_15_acl

Sorry, you'll probably need to add the 'interface' specification to that.
--
"I want to make sure [a user] can't get through ... an online
experience without hitting a Microsoft ad"
-- Steve Ballmer [Microsoft Chief Executive]
 
Reply With Quote
 
Francois Labreque
Guest
Posts: n/a
 
      08-14-2005
Walter Roberson wrote:
> In article <ddnicb$74v$(E-Mail Removed)>,
> Amaury Ronflard <(E-Mail Removed)> wrote:
> :I have two PIX
>
>
>>and, an access-list to bound to what to encrypt to get to pix-b

>
>
>>access-list to-pix-b permit tcp 192.168.10.0 255.255.255.128 192.168.20.0 255.255.255.128 eq 5222
>>access-list to-pix-b permit tcp 192.168.20.0 255.255.255.128 192.168.10.0 255.255.255.128
>>access-list to-pix-b permit icmp 192.168.10.0 255.255.255.128 192.168.20.0 255.255.255.128 eq 5222
>>access-list to-pix-b permit icmp 192.168.20.0 255.255.255.128 192.168.10.0 255.255.255.128

>
>
> The third and fourth lines duplicate the first and second.


Actually, the third line doesn't make sense... "eq" is not a valid
keyword with ICMP, and there's no such thing as an ICMP type 5222 packet.


--
Francois Labreque | The surest sign of the existence of extra-
flabreque | terrestrial intelligence is that they never
@ | bothered to come down here and visit us!
videotron.ca | - Calvin
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Screen Capture With Mouse , Mouse Position Capture Max Java 7 08-08-2009 11:51 PM
SuperVideoCap work as a broadcast capture and screen capture and record tool. hely0123 Media 0 10-30-2007 08:59 AM
command equivalent in PIX version 6.3 for the version 7.x command: same-security-traffic permit inter-interface Mike Rahl Cisco 6 12-12-2006 10:19 PM
[pix] desperatly need help with PIX-to-PIX config Remco Bressers Cisco 1 11-21-2003 08:58 PM
PIX to PIX to PIX meshed VPN Richard Cisco 1 11-15-2003 07:41 AM



Advertisments