PIX 6.3 - capture command

Discussion in 'Cisco' started by Amaury Ronflard, Aug 14, 2005.

  1. Hello group members,

    I have two PIX

    PIX-A: 195.238.10.19
    PIX-B: 212.217.89.23

    Behing, Private LAN

    PIX-A: 192.168.10.0/25
    PIX-B: 192.168.20.0/25

    I need a VPN between those, so, I've defined a no-nat access-list

    access-list no-nat-pix-a permit ip 192.168.10.0 255.255.255.128
    192.168.20.0 255.255.255.128
    access-list no-nat-pix-a permit ip 192.168.20.0 255.255.255.128
    192.168.10.0 255.255.255.128

    and, an access-list to bound to what to encrypt to get to pix-b

    access-list to-pix-b permit tcp 192.168.10.0 255.255.255.128
    192.168.20.0 255.255.255.128 eq 5222
    access-list to-pix-b permit tcp 192.168.20.0 255.255.255.128
    192.168.10.0 255.255.255.128
    access-list to-pix-b permit icmp 192.168.10.0 255.255.255.128
    192.168.20.0 255.255.255.128 eq 5222
    access-list to-pix-b permit icmp 192.168.20.0 255.255.255.128
    192.168.10.0 255.255.255.128

    It works ok,

    I use the "capture" command to check if the VPN is going ok. Like

    pix-a#(config)capture snoopy interface inside buffer 10000 circular

    using PDM, I redirect the flow to my browser.

    I my web browser using this capture command, I need to filter only what
    is going between the host 192.168.10.10 and remote host 192.168.20.15

    How do I achieve it? It looks I need to create a third access-list and
    apply it against the capture command.

    I've tried, I can't get it.

    Can anybody light it?

    Thank you very much,

    Amaury
     
    Amaury Ronflard, Aug 14, 2005
    #1
    1. Advertising

  2. In article <ddnicb$74v$>,
    Amaury Ronflard <> wrote:
    :I have two PIX

    >and, an access-list to bound to what to encrypt to get to pix-b


    >access-list to-pix-b permit tcp 192.168.10.0 255.255.255.128 192.168.20.0 255.255.255.128 eq 5222
    >access-list to-pix-b permit tcp 192.168.20.0 255.255.255.128 192.168.10.0 255.255.255.128
    >access-list to-pix-b permit icmp 192.168.10.0 255.255.255.128 192.168.20.0 255.255.255.128 eq 5222
    >access-list to-pix-b permit icmp 192.168.20.0 255.255.255.128 192.168.10.0 255.255.255.128


    The third and fourth lines duplicate the first and second.

    You should only write the ACL in one direction, as if the data is
    going out of the local machine towards the remote machine. The
    ACL will automatically be matched in reverse for the remote traffic.

    If you were to reverse the second line, the result would be a superset
    of the first, leaving the first unnecessary. I suspect you are trying
    to account for dynamic source ports and that the second line is
    actually a to-pix-a entry. If so then if you are going to include a
    specific port number in that first to-pix-b line, then you should
    exactly mirror it on b,

    access-list to-pix-a permit tcp 192.168.20.0 255.255.255.128 eq 5222 192.168.10.0 255.255.255.128

    Using a specific port number on an crypto map ACL will get you a warning
    about loss of efficiency. Earlier PIX versions prohibitted using
    port numbers entirely.


    :I use the "capture" command to check if the VPN is going ok. Like

    :I need to filter only what
    :is going between the host 192.168.10.10 and remote host 192.168.20.15

    :How do I achieve it? It looks I need to create a third access-list and
    :apply it against the capture command.

    Right.

    I have evidence that the capture ACL is -not- automatically read
    in reverse, so try

    access-list capture10_15_acl permit host 192.168.10.10 host 192.168.20.15
    access-list capture10_15_acl permit host 192.168.20.15 host 192.168.10.10
    capture c10_15 access-list capture_10_15_acl
    --
    "I will speculate that [...] applications [...] could actually see a
    performance boost for most users by going dual-core [...] because it
    is running the adware and spyware that [...] are otherwise slowing
    down the single CPU that user has today" -- Herb Sutter
     
    Walter Roberson, Aug 14, 2005
    #2
    1. Advertising

  3. In article <ddnu07$l8n$>,
    Walter Roberson <-cnrc.gc.ca> wrote:
    :capture c10_15 access-list capture_10_15_acl

    Sorry, you'll probably need to add the 'interface' specification to that.
    --
    "I want to make sure [a user] can't get through ... an online
    experience without hitting a Microsoft ad"
    -- Steve Ballmer [Microsoft Chief Executive]
     
    Walter Roberson, Aug 14, 2005
    #3
  4. Walter Roberson wrote:
    > In article <ddnicb$74v$>,
    > Amaury Ronflard <> wrote:
    > :I have two PIX
    >
    >
    >>and, an access-list to bound to what to encrypt to get to pix-b

    >
    >
    >>access-list to-pix-b permit tcp 192.168.10.0 255.255.255.128 192.168.20.0 255.255.255.128 eq 5222
    >>access-list to-pix-b permit tcp 192.168.20.0 255.255.255.128 192.168.10.0 255.255.255.128
    >>access-list to-pix-b permit icmp 192.168.10.0 255.255.255.128 192.168.20.0 255.255.255.128 eq 5222
    >>access-list to-pix-b permit icmp 192.168.20.0 255.255.255.128 192.168.10.0 255.255.255.128

    >
    >
    > The third and fourth lines duplicate the first and second.


    Actually, the third line doesn't make sense... "eq" is not a valid
    keyword with ICMP, and there's no such thing as an ICMP type 5222 packet.


    --
    Francois Labreque | The surest sign of the existence of extra-
    flabreque | terrestrial intelligence is that they never
    @ | bothered to come down here and visit us!
    videotron.ca | - Calvin
     
    Francois Labreque, Aug 14, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Silverstrand
    Replies:
    0
    Views:
    1,106
    Silverstrand
    Apr 17, 2006
  2. Mike Rahl
    Replies:
    6
    Views:
    2,475
    Walter Roberson
    Dec 12, 2006
  3. bas
    Replies:
    4
    Views:
    884
    Ralph Wade Phillips
    Dec 1, 2006
  4. hely0123
    Replies:
    0
    Views:
    2,161
    hely0123
    Oct 30, 2007
  5. Replies:
    1
    Views:
    3,848
Loading...

Share This Page