How to Download Packet Captures as a PCAP File to Use in Wireshark on a Cisco ASA

If you need to download your packet captures on a Cisco ASA/PIX so you can import them into Wireshark it is a very simple process.

I assume the following is true:

1. You have http (ASDM) access to the firewall
2. You already have a capture with captured packets: (See here how to create a capture)

If you want to just see the capture in the browser first to make sure there are packets you can do the following:

Command Format:
https://FW_IP/admin/capture/CAP_NAME

Example: 

https://10.55.55.55/admin/capture/jcap

Once you know you have data in your capture you can download the pcap by doing the following:

Command Format:
https://FW_IP/admin/capture/CAP_NAME/pcap

Example:
https://10.55.55.55/admin/capture/jcap/pcap

How to Capture traffic on a Cisco ASA with No Config Changes

Problem: You need to capture traffic between 1.1.1.1 and 2.2.2.2

In previous version of ASA/PIX code (7.2 and below) you had to go into config mode add a bi-directional access-list and then apply the packet capture. As of 7.2.1 you no longer have to do that and it makes creating captures a lot quicker and no configuration changes are made to the firewall since no access-list are created.

Command Format:
capture [CAP_NAME] interface [INT_NAME] match ip host x.x.x.x host x.x.x.x
Example: 

capture jcap interface inside match ip host 1.1.1.1 host 2.2.2.2

And while this rule looks like it would only capture traffic if sources from 1.1.1.1 it is actually automatically bidirectional so will capture traffic if it sources from either address.

To see and manage your captures issue the following command:

show capture - This will list all fo the captures running on the ASA/PIX
show capture [CAP_NAME] - this will show the actually packets captured in the captures

clear capture [CAP_NAME] - this will clear the captures for one capture

no cap [CAP_NAME] - this will completely remove and stop the capture

There are many more options such as ports and protocols you can find those in the reference guide here:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c1.html#wp2129312

##############################

Here are some more captures I regularly use:

Change the capture to gather whole subnets:
Example: 

capture jcap interface inside match ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0

If you need to see all the the traffic to and from one address you could make a capture like this:
Example: 

capture jcap interface inside match ip host 1.1.1.1 any

Capture ARP request and replies with the following:
Example: 

capture arpcap interface inside ethernet-type arp

How to failover the standby ASA from the primary ASA

If for some reason you cant access the standby firewall but need you reload it and only have access to the primary firewall you can easily reboot the standby firewall by issuing the following command via cli:

failover reload-standby

How to Configure URL Filtering - Websense on a Cisco ASA

This is the standard configuration I use to bring up websense on the firewall. There are other options available you can check those out in the Cisco Links

url-server (inside) vendor websense host 10.55.55.55 timeout 15 protocol TCP version 4  
url-block url-mempool 1500
url-block url-size 4
url-block block 128

filter url http 10.40.40.0 255.255.255.0 0.0.0.0 0.0.0.0 longurl-truncate allow
filter https 443 10.40.40.0 255.255.255.0 0.0.0.0 0.0.0.0 longurl-truncate allow
filter ftp 21 10.40.40.0 255.255.255.0 0.0.0.0 0.0.0.0 allow

---------------------

Note if you wanted to filter any ip going anywhere for http, https, and ftp use the following:

filter url http 0 0 0 0 longurl-truncate allow

filter https 443 0 0 0 0 longurl-truncate allow
filter ftp 21 0 0 0 0 allow

**Side Note: The Allow command in the filter allows the websense to fail-open, without the allow command it will fail-close if the ASA detects the websense is down it will just start blocking all traffic that needs filtered by websense, since the websense is down.**


Cisco How to Document:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

More options:
I have included the link to the command line reference which can be found here:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1625866

Websense How to document, starts on page 9:
http://www.websense.com/content/support/library/web/v71/wws_pdfs/install_cisco.pdf



If you want to check the status if your Websense is up do the following:

CiscoASA#show url-server statistics

Global Statistics:
--------------------
URLs total/allowed/denied         73/33/40
URLs allowed by cache/server      0/4
URLs denied by cache/server       0/15
HTTPSs total/allowed/denied       145/140/5
HTTPSs allowed by cache/server    0/18
HTTPSs denied by cache/server     0/1
FTPs total/allowed/denied         0/0/0
FTPs allowed by cache/server      0/0
FTPs denied by cache/server       0/0
Requests dropped                  0
Server timeouts/retries           0/0
Processed rate average 60s/300s   0/0 requests/second
Denied rate average 60s/300s      0/0 requests/second
Dropped rate average 60s/300s     0/0 requests/second

Server Statistics:
--------------------
10.55.55.55                       UP
  Vendor                          websense
  Port                            15868
  Requests total/allowed/denied   145/140/5
  Server timeouts/retries         0/0
  Responses received              145
  Response time average 60s/300s  0/0

URL Packets Sent and Received Stats:
------------------------------------
Message                 Sent    Received
STATUS_REQUEST          1789    1701
LOOKUP_REQUEST          1456    1566
LOG_REQUEST             0       NA

Errors:
-------
RFC noncompliant GET method     0
URL buffer update failure       0