Does anyone know what the difference is between:
- The FTDv's "Management" port that it connects to the FMC with.
- The "eth0" port in the linux bit of the FTDv ("expert"/bash CLI), that shares the same IP address as the previous mentioned port.
- ...and the "Management0/0" port in the ASA bit of the FTDv (diagnostic-CLI) that has no IP address configured?
For some context I have a hairy problem, and I need to capture ARP traffic on a Cisco FTDv/NGFWv/shithole, that's running in transparent mode. I also need the .pcap file to analyze in Wireshark.
The "capture w/trace" GUI on the FMC seems to only let you match protocols that are layer 3 or higher; in other words it won't match EtherType ARP.
So I SSH to the FTDv, run "system support diagnostic-cli" to get the ASA commands, and I can capture the ARP traffic with "capture CAP ethernet-type arp interface BLAH", which is fine.
But when I try to export to this with "copy /pcap capture:CAP tftp://SERVER/CAP.pcap" it can't reach my TFTP server, and here's the crux of the issue:
This a transparent firewall with BVIs, and only layer 3 interface with which to send a capture from is the management interface. This management interface seems to be a linux interface that is completely separate from the ASA management interface; and you can't see the linux interface from the diagnostic-CLI at all, so I assume that it's got nowhere to send the traffic?
Does "Management0/0" even have a vNIC?
What did I do in my previous life to deserve this firewall?
Should I become a plumber?
No comments:
Post a Comment