FTD Traffic Troubleshooting Using Packet Tracer and Capture - 2

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello viewers in this tutorial session I'm going to show you how to troubleshoot traffic traveling the apartheid offense using packet capture now I'm going to show you how to capture packets on FTD so we can DVR GUI and at the same time we can treat via CLI I will click on add capture I'm going to name my capture test and let me capture ICMP from saw stained or ten or twenty dollar 100 to destination twenty know twenty two or twenty dot one and the interface the ingress interface will be the inside is a package size prophesied can't do continuous capture or stop when full and trees are not interests even include trees dummies is going to run boots pocket Risa and Israel to capture the packet at the same time so you see the trees output on top followed by D and sometimes you see the packet capture in between so but I'm not doing that I will click on save so I can also ought to refresh and you can disable the damage every ten seconds is going to opportunity fresh the outputs instead of you refreshing it manually and so this is okay ICMP sauce destination running this is edits icon you on to a deeds this is deleted not to delete this is lay if you want to clear the outputs dummies you want to clay your profile you want to clear the output and this is post if you want to pause the caption and this receive should in case you want to save the capture so I'll go to my oast let me run pink to 20 20 21 I don't think that's will be allowed actually I know I think only allowed into 30 30 31 okay that's fine I will run to Ted see ping 3030 that's he got one before I do that I'm good for Auto refresh okay I don't want to wait for to refresh I had to clean fresh for myself this is the first pink which is from 1010 2,200 to 20 20 21 you can see the only thing we can see is the echo request we can only see the air quality quest we can't see we are not seeing the response from the other end because is not being permitted that's another thing you need to know so for example in most cases we are receiving echo requests if you are a vehicle grass is green out Ayano receiving a restaurant yeah no there's no reply coming forth so it's ADA maybe you don't have route to that boost to the outside us or maybe it's being blocked is windy night by NASA's leads to assess rule or whatever so does I two main reasons our Charlie cause that let me go to Martha's control policy just to prove that we don't have another shoe that is permitting that traffic so dizzy the ICMP rule I have is only permitting it to attend Oh taxi dota 2 dota 2 dots 1 so let me do that again ping Teddy rotating the 30.1 that's fine so even if I pink teddy rotator 30.1 is not going to be captured there because here my destination is 20 so it said I change it or maybe I use any destination or maybe I'll just change to Ted's irritated or 30 loads one that will be fine I'll click on save and let me clear make clear my Bopha so that's fine so let me initiate the pink now ok the pink is been allowed so now we should see it's yes we said I will refresh manually or you wait for the auto refresh which we opened after 10 seconds so I'll refresh Manali okay so let me click on this so you can see I've been able to capture going from 1020 on ready to theta it's in 1 DZ require these reply request reply and rest like that so now let me also show you how to do it via CLI now were easy well love this CLI for this this is same FTD 10 - 10 - 10 dot 5 so now frogs you can capture on fro CLI we have capture from Lina and we have capture from snots angel let me show you this desease document the kind of search for it is very good it talks about packet capture it's very good so documents prepared by some Cisco talk engineer bad histories katuk engineers so it's available online is free just copy can use google his name now if this will show you you know we have the Lena part over FTD these web traffic has been received in Greece and rest like that and here we have the snorts it's not parts yeah so you can't duel in our level Capshaw which is from here from the leaner are you can do snots level cap toe which is going to be from here so these these knots engine but this is the leaner and this is rest of the leaner so the lean I just like the normal EAC so this way we have the advanced inspection so now I'll do this let me okay so here for me to do to capture Lena level logs in our level pockets I'll go to system supports diagnostic CLI just like us if I'm going to my AC I'll just present a new password air and our on the command capture name will be CLI test and let me do real time new time okay before I do the real-time interface interface does gonna be inside I'm gonna make You real time I'm not going into any far I'm gonna show you how to do that I just want you to understand I'm doing ICMP just attend or ten dots I simply from boosts ten to attend or twenty dots on dread to host I mean no you saw ski what the designation states in rotated rotated rocks one but since I didn't use askew or for destination just like assess list damn is up to do this that represents us to prefer to add to a two firefighters like yeah configure an analysis list so and I simply so that's fine so these seats and this will give me Lina Capshaw and these about to capture this from this not changing to see these not engines really actually receiving the packets I can do from here I'll do these nom do this from the diagnostic CLI what is I'll do from the regular life to the CLI they'll be captured traffic capture traffic enter and ago the option to select is gonna be one one and then I can see I'll use this command roost 10 10 20 dot Andre let me just capture from 10 10 20 100 okay so that's fine I'm good to initiate continuous pink as you can see here now I am receiving the ping from my Lena this the first phase it passes through the Lena before it goes to the Assets Control Policy where it's going to pass through this not engine so the Lena request is working replies walking and this is my snot engine also so I can see what is happening so this must not engine you can see the request and reply and the rest like that so that's why now let me quickly demonstrate something I I hope you've watched if you are watching this video you must have seen my video where I talked about pre-filter policy and access control policy so bother to too much explanation on it right now I'll click on pre-filter these prefect our policy we are using for the Assets Control Policy 3 so these access control policy 3 which I'm using for my FTD 3 and is the prefect our policy assigned suite and now this is my profit our policy this is what I happy my profit our policy will permit or traffic by default that means all non tonio traffic all non tunnel traffic is allowed so I don't have any really a zoo not on it when I've seen tunnel traffic we are talking of tunnel traffic I'm referring to encapsulated traffic like GRE and the rest like that so I'm not dealing with that so here this default action years for tunnel traffic was show up on Teutonia traffic I want them to be block so if I want any tunnel traffic maybe GRE there's injera traffic flowing through I may need to create a toenail route from EA or click here to add on a rule or I can say ok I want to analyze or toenail traffic that means by default or toenail traffic for example MC GRE traffic or GRE traffic we aft will be passed to D as control policy so because your traffic we pass through pre-filter fests before getting trans control policy so the pre-filter will most know what to do with the traffic so yeah I didn't create any rule here to permit or to deny to block anything so yeah I'm telling my professor that ok any tunnel traffic for example GRE traffic just push it just send it to the SS control policy so the access control policy knows what to do it out to allow or not to allow for ta monkeys are ma vanitas block now for non no traffic that is my normal IP traffic like my ping in city peds and just like that by default you can change this it is allowed so that means even guiding configure any rule a all the non tunnel traffic will be passed to my assets control policy but if you don't want that you can create denied any any rule can't click on that preview Tarun and configure denied any any Saddam is going to block everything so but by default is allowing all non tunnel traffic so that means my ICMP ping will pass through my private uh policy and eats these defaults and will be passed with the Assets Control Policy this my briefed our policy who does what his in CP is using so I need to be password access control policy and access control policy we also do security intelligence tag as I said inspection if configured advancing policy if configured unrest like that and we also check its against all the assessments that we have here so here Vanessa Leu committee needs if I Drive a NASA Japan is he needs is going to eat these defaults and access control policy which repeats so even do the proofed re not repeat but the access control policy with drop it so now I just did this Rancher so that you can understand I'm going to add a pre-filter rule I'm going to name it let me just name it test I won't click on analyze if coming from inside going to outside and the network is you'll see anything 20 Network going to any destination that's fine and now change it with a fast parts first part if we remember first part means the traffic is going to be allowed I won't be saying to the access control policy so that means the traffic won't go through this not changing the so first part means it should be allowed to go to the destination so that means there is no layer 7 inspection so I'm going to deploy this so let's check the deployments and again I want to ask a question the capsule that we have on the FMC green is this not capture or linea capsule I'm not going to answer that after I once our deployment is done we'll taste our test is going to answer that question okay this is my capture okay during deployment his speed is going to be unavailable that's right because I'm so deploying so DP doing that I've been able but now while we are doing that let me bring up my capture would this Molina on the or this is now my right hand side and this is not capture so now okay yeah this particular any traffic coming from 10 to 10 to 20 dots hundred I have configured a pre-filter policy does this fast paths so if Tendo Tendo 10.1 red is going to any destination it should not be sent to the access control policy to not go through this not engine at all so it should be fast parties should go straight to the destination so now that means once this policy has been fully deployed I should not receive any capture from this not engine again because I have first part the traffic because the traffic is no longer going to the my access control policy so I should not receive any any capture e anymore there should not be any cultural event C anymore possibly Civic cultural events on my Linna capture because in Siegel Jelena just like OC or pre-filter is working within Anaya privatized just like your Noma EAC traditional assess control policy just based on the eternia form so your lina is tied to the pre-filter white is not changing is tied to the access control policy now 90% the policy should be effective now for 98% whatever policy you deploy will be effective as you can see from yay I'm not receiving any vents I'm receiving any event a again because as you can see this count is increasing nine fifty-nine sixty nine sixty two 964 966 you can see is increasing because the Lena is still receiving the packets but we've configured an access control list in the Lena telling the de nada down to two first parts this traffic so the traffic is no longer going through the access control policy is no longer going through snot engine so that is that so now let me also show you something limit ladies I walk ladies so even that's right in fact I have laid you can say I'm Susan Park and let me refresh again I'm see receiving packet you can see so this is to tell you that the capsule you have VA on the FMC agree is capture force notes it's not engine capture so the capital EA on the FM's agree is not level capture because right now as you can confirm from the CLI you can see it I'm sorry pod on me for the mix-up I mean pre-filter level capture pre-filter you know it covers up to pre-filter level as you can see a value phrase these trains his pockets he should have increased now and I have on one tank packets eval you fresh again I have 124 packets so that means this again I repeat I refreeze my statements so that means they capture which we have on the FMCG you i we have the lena capture so the FMCG like avast Delina capture so it's not just from these notes it's from Lena so because as you can see as I've been able to prove the a you can see this not capture now we are not receiving anything on this not capturing in but the Lena is still receiving because also we have a pre-filter tied to a neon agree we are still receiving the capture event also we choose the shoes that are gree covers or to Lena so he's giving us the Lena captures with a pre-filter capture he is also giving us that sue is giving us who that's what you are getting from the FMC GUI so now let me also to further prove this now his back or I said I delete it or I'll just need you to analyze and what we analyzed who analyzed means send it to the SS control policy so this rule we do the same thing that is Ruby to this default not on a traffic rule whether this one is specific to these sorry to this source network so analyze means the profit - allowance both you send it to the access control policy for further inspection so I'm going to deploy and you want to monitor the deployment from here so I'll bring this up so Alan our traffic is doing so by time these deployments routines 98% will be as we are receiving the traffic here on our Lena engine we also be receiving it on a snot engine so not 5% once it reaches 98% we should be receiving capture events yeah or not snow changing now yeah as you can see now we are now receiving us all because now we've changed the first parts to analyze so analyze means send it to the SS control policy so now that is passing through the access control policy we have the events a announce notes engine capture at the same time so and again let me quickly show you this also before I move on I'm going to duplicate session still on my FTD now so yeah I'm going to run packages are input inside match so input inside ICMP coming from 10 to 10 to 20 loads 100 going to ok ICMP type that should be I think 0 let me see if I get it right and the code should be AIDS and the destination should be theta dot theta dot theta dot 1 Oh use the wrong there ICMP type it's code zero [Music] I'm signal confirmed or I think the code should be zero that it at theta one let me see okay yeah action allow and let me show you something here this capture as you can see this will capture okay fine it's allowed assess least leuco and you can see these the pre-filter policy because once you want to add a pre futile rule that said to journalize or whatever you know initially in our if you look a d if you go back to the package whistle video what we obvious always he is always the access control policy rule but once you configure a pre-filter policy and your traffic is eaten up if you type policy what you Harvey a is going to be your profit our policy name which in my case is F T DT and profit a policy rule which is tests I will show you that from a pre-filter policy okay this is approved our policy name FTD 3ds improved our policy root test by initially because there's no rule II really have the defaults what you are going to see a is going to be the default is going to be the access control policy name I'll rule I'll rule name but now since we have pre-filter configured and also to our traffic is eating before getting to access control policy what we are they will be up if it's our policy and the profit are you name and it will keep coming down if you keep coming down if we keep coming down it will come down - snorts this is where you now see these notes is not rude and if you look a application unknown that's why as I simply starting rule matching this ICMP type is it as F equals zero firewall allowed rule is only she knows the rule ID not trying and he said no guys being allowed and here you can see here out Zhukov next up and rest like that so does it let me quickly again okay can see this is working as expected so let me quickly do something let me change this to fast party game I'll change it to fast parts an hour on the packet rosado's I want us to see how did you see how deep our pocket Risa is going to look like I'm going to see if I'm going to have to deploy again I want you to see what the packages are output will look like when the traffic is my first parts so deployment nineteen percent fine already packages are command again start from the beginning okay a blue Cup Classic these are pre fotopolous name our rule name spectrum the service policy as you can see there is no it's not inspection here as you can see we don't have not inspection because it's been fast parts because it's been a lot this one here that says least allow rotten cop allow access nice which is the pre-filter policy it's been allowed is approved a Polish name the zero name and connection settings that's fine the service policy the nards v7r session is a type ii option for is nine inspection does ICMP because I because in a service policy we have I simply been inspected so that's why we are having this and again that means ICMP he's been allowed so he's been expected she will from our inside to outside as we are pinging salute on traffic will return MP okay does it capture as you can see a we looked through this capture I mean packet Riza outputs there is no snot ain't in there because is not going through it's not engine at all he's not passenger is not changing so if I do seem before HTTP I mean TCP 10 10 20 dot on red and [Music] 1000 are the sore spots 10 xx xx xx dot 1 and 80 as a destination box so we look for melodies for the HTTP so here for for HTTP you consider the policy name as you can see is not going through this not enging I quickly want to show you two more things before lap of this video now I will do this I will change it back to analyze just two more tests and to show y'all the HTTP packages our outputs was going to look like he is passing through us as control policy tonight it percents that's fine so now we are sending to back to access control policy so how did you see how the packet capture for packet tracer sorry for HTTP we look what is going to look like now the capture has been allowed fine us as least he's allowed routes lookup that's fine and yeah you can see privet our policy and the rule is to taste that's right and yeah now we are going to see is no section you can't see that external inspects it's not and this is not parts now if I wore a la route ID and it's been allowed so that is that and again if it is being blocked for example I'll delete this and let me go to the SS control policy let me block it from the assess culture policy I'm going to change the suit block so since I'm blocking logging will you beat or not bikini okay that's fine my intuition okay I'm fine nutritional policy yeah speak really that okay let me change is trying to watch my laugh I'm going to change his tune on so that's fine so I'll change back to Block C save deploy that's all to see what the outputs you always look like so I'm deploying so right now for the pre future we check for the pre fatahna I've deleted all the rules so now my traffic we eats the default non toenail traffic is a la da me it's going to be centered as as control policy and this video says control policy and definitely the asset control policy is going to block the traffic on the long run because go to eat this oh no ok I'll use the ICMP are used as EMP for example come back to okay Theresa cause employment is still hon anted to use HTTP for example what's only Blood Ties maybe I wanted to block this EP by block ICMP that's fine I'll use that for the demo
Info
Channel: Ayo Kush
Views: 1,853
Rating: undefined out of 5
Keywords: yt:quality=high
Id: OgmiQg9-8Es
Channel Id: undefined
Length: 35min 9sec (2109 seconds)
Published: Mon Dec 09 2019
Related Videos
Cisco Firepower Threat Defense: pxGrid and Firepower for User to IP Mappings
Jason Maynard
1.1K
FTD Traffic Troubleshooting Using Packet Tracer and Capture - 1
Ayo Kush
388
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
Cisco Firepower to Fortinet Fortigate Site to Site VPN (English)
Unknown Chronicles - Cisco Security
1K
Cisco ISE Implementation (Authentication and Authorization) - 3
Ayo Kush
4.8K
Cisco IOS XE - Embedded Packet Capture Tutorial
Network Engineer Pro
1.8K
Fortigate Firewall - Route and IPv4 Policy Configuration
Ayo Kush
3.6K
Kubernetes Crash Course for Absolute Beginners [NEW]
TechWorld with Nana
272K
🔊 How to use Audacity to Record & Edit Audio - Beginners Tutorial
Kevin Stratvert
725K
Cisco FirePOWER Access Control Policies - Todd Lammle Training Series
Todd Lammle
82K
Cisco FTD and FMC : Interface configuration, Access Policy and Routing
BitsPlease
6K
Understanding Prefilter policy in FTD
Securing Networks with Cisco Firepower Threat Defense
15K
Luxury Lifestyle Of Billionaires - World Billionaires - HD 2020
TradingCoachUK
4.5M
Wireshark Tutorial for Beginners
Anson Alexander
1.6M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.