There are a few ASA features that are specific to the 5505. This small business version of the Cisco firewall works a little different than the higher performance models. The ASA 5505 is basically an 8 port switch with the ASA logic functioning between VLANs. As such, you can do “switch stuff” that you cannot do on other versions. The feature that we are going to talk about today is called span, port monitoring, or port mirroring.
The purpose of “span” is to allow traffic to be sent to sniffer or content filter for further inspection. The use case is most likely troubleshooting, but other monitoring solutions could be used as well. Without configuring a span port, the sniffer or monitoring station would only receive a subset of traffic that it needs to inspect. This traffic would be limited to broadcast, multicast and unknown unicast for the vlan in which the port is configured. In order to capture all traffic to or from a port, the span function would be configured as follows:
ASA(config)# int ethernet 0/0 ASA(config-if)# description Outside Interface ASA(config-if)# exit ASA(config)# int ethernet 0/7 ASA(config-if)# description Monitoring Station/Sniffer ASA(config-if)# switchport monitor ethernet 0/0 both ASA(config-if)# exit
As is demonstrated above, the ASA 5505 has a straightforward configuration for the span functionality. The challenge is remembering that you have this feature at your disposal. If you are troubleshooting a small or medium business environment and need raw data from the wire, the span function (and Wireshark) is your friend.