| How to Capture Traffic on Cisco ASA / PIX (sniffer) |
|
To capture traffic on a Cisco ASA or PIX firewall the capture command can be used. Example: Capturing traffic on ASA/PIX You want to capture traffic from/to host 10.100.100.1 located behind the dmz interface. The access-list is optional and is used to filter to interesting traffic pix1(config)# show capture Commands to show capturing results: Command to clear captured traffic: Command to save results to tftp server: copy capture:cap1 tftp://10.1.1.1/dmzhost.txt To save results in pcap format: Command to disable capturing: pix(config)# no capture cap1
This can be very helpful in troubleshooting connectivity issues. I most recently used this to troubleshoot VoIP issues for a customer. |
I recently implemented the Zenoss Enterprise appliance for the City of Houston Airport System to monitor over 250 Cisco network devices located at George Bush Intercontinental (IAH), William P. Hobby (HOU), and Ellington Airport (EFD).
Why Zenoss? According to the CTO of the Houston Airport System, Matt Hyde, the implementation of Zenoss “will give us greater visibility and control over our network devices and reduce our current monitoring costs”. He goes on to say that “within sixty days, we were able to make the switch to [Zenoss] and will pay for the cost of the new system with just two months of network monitoring savings. Total annual cost reductions are over 500%. Rarely do we ever get an ROI of that magnitude and we would not have achieved these savings without the help of Pate Consulting [implementing Zenoss].”
The appliance was nicely assembled in a 1U rack-mountable server. After plugging in the necessary keyboard, mouse, monitor, power, and network cables I powered it on and watched it proceed to boot CentOS 5.3
Aside from the necessary ‘yum update’, all I had to do was configure the correct time, time zone, assign a valid IP address, and setup an SMTP server (if you want Zenoss alerts sent via email, of course). As usual, I recommend Postfix.
Install and configure Postfix:
[root@host]# yum install postfix
[root@host]# vi /etc/postfix/main.cf
Change myhostname to a valid hostname in your environment
Make postfix startup on boot
[root@host]# chkconfig –level 2345 postfix on
[root@host]# service postfix start
Make sure that Postfix and Zenoss are running:
[root@host]# service postfix status
[root@host]# service zenoss status
Once we do that, then its on to the easy part – Zenoss Web Interface.
After adding all 5 networks, Zenoss automatically scanned them flawlessly.
As should be the case, the Cisco SNMP community string was not the Zenoss default ‘public’. This would cause problems if not corrected.
To solve this problem, I edited the SNMP community string in the /Network/Router/Cisco and /Network/Cisco class templates so that any device added to these classes would automatically inherit the correct community string.
Click on “Devices” on the left side menu then select the device class Network. Now, select the device class Router, then Cisco. At this point, the breadcrumb navigation should be “/Devices/Network/Router/Cisco”. This can be found just below the Zenoss logo. Click on the zProperties tab for this class. Change zSnmpCommunity to the new value. Just for good measure, go ahead and put your new community string in the zSnmpCommunities text area as well and save changes. From now on, every device you add to the /Network/Router/Cisco device class will inherit the new snmp community string. This is a lot of work for a few devices, but if you’re adding 250 devices this “feature” is a time-saver!
Overall, I was impressed with the Zenoss appliance and the City of Houston benefited from the power and flexibility of Zenoss.