What is a disadvantage of ATM compared to Frame Relay? (Choose two.). The wireless client operating system password is not affected by the configuration of a home wireless network. Explanation: The first action a technician should do to secure a new wireless network is to change the default user-name and password of the wireless router. (Choose two.). It allows users to authenticate and access the WLAN. Neither the link-establishment phase nor the network-layer phase completed successfully. A network administrator is configuring DAI on a switch with the command ip arp inspection validate src-mac. ), 98. 229. Which two pieces of information should be included in a logical topology diagram of a network? Explanation: SSID cloaking is a weak security feature that is performed by APs and some wireless routers by allowing the SSID beacon frame to be disabled. Explanation: If no violation mode is specified when port security is enabled on a switch port, then the security violation mode defaults to shutdown. (Choose two. 70. What is the purpose of this configuration command? Point-to-point WAN services are circuit switched. A network administrator is adding ACLs to a new IPv6 multirouter environment. 54. 68. The final plank in the AAA framework is accounting, which measures the resources a user consumes during access. What is required for a host to use an SSL VPN to connect to a remote network device? 31. NOTE: If you have the new question on this test, please comment Question and Multiple-Choice list in form below this article. In the data gathering process, which type of device will listen for traffic, but only gather traffic statistics? (Choose two.). What is the networking trend that is being implemented by the data center in this situation? The service agreement specifies that the access rate is 512 kbps, the CIR is 384 kbps, and the Bc is 32 kbps. 26. 33. We truly value your contribution to the website. Explanation: Splitting the wireless traffic between the 802.11n 2.4 GHz band and the 5 GHz band will allow for the 802.11n to use the two bands as two separate wireless networks to help manage the traffic, thus improving wireless performance. 58. 66. Explanation: Omnidirectional antennas send the radio signals in a 360 degree pattern around the antenna. (Choose three. It allows sites to use private IPv6 addresses and translates them to global IPv6 addresses. Which authentication method stores usernames and passwords in the router and is ideal for small networks? Then once the initial group of wireless hosts have connected to the network, MAC address filtering would be enabled and SSID broadcast disabled. It checks the source MAC address in the Ethernet header against the MAC address table. GRE uses AES for encryption unless otherwise specified. Python Version Policy - Explains the selection and support of Python in use for many of the development tools. The consent submitted will only be used for data processing originating from this website. ), 197. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages to lease the entire pool of available IP addresses, thus denying them to legitimate hosts. Which statement describes a characteristic of dense wavelength division multiplexing (DWDM)? I am taking my ccna 200-301 exam next month. The average transmission time between the two hosts is 2 milliseconds. The network engineer has been asked to connect the two corporate networks without the expense of leased lines. It is the best way to secure a wireless network. The server administrator in the branch office should reconfigure the DHCP server. What is a disadvantage of a packet-switched network compared to a circuit-switched network? A group of Windows PCs in a new subnet has been added to an Ethernet network. You can create multiple BBA groups or use the global BBA group: Server(config)#bba-group pppoe global Server(config-bba-group)#virtual-template 1. The NAT pool is using an invalid address range. This configuration could be used when a port is shared by two cubicle-sharing personnel who bring in separate laptops. Step 5. ), 221. What technology can be used to create a private WAN via satellite communications? Next, we create a static router to forward traffics destined to the branch office LAN to the IP address of the tunnel interface on BO router. The SNMP agent is not configured for read-only access. Upgrading the firmware on the wireless access point is always a good idea. For the IPSec Tunnel to come up. An IT security specialist enables port security on a switch port of a Cisco switch. A data center has recently updated a physical server to host multiple operating systems on a single CPU. so that the switch stops forwarding traffic, so that legitimate hosts cannot obtain a MAC address, so that the attacker can execute arbitrary code on the switch, a continuous interaction between people, processes, data, and things, a network infrastructure that spans a large geographic area, an architectural style of the World Wide Web. A network administrator has implemented the configuration in the displayed output. An administrator is configuring NAT to provide Internet access to the inside network. The beacon time is not normally configured. Refer to the exhibit. A network administrator is troubleshooting the dynamic NAT that is configured on router R2. A misconfigured firewall blocks traffic to a file server. Refer to the exhibit. (Choose two. Explanation: The WLANs tab in the Cisco 3504 WLC advanced Summary page allows a user to access the configuration of WLANs including security, QoS, and policy-mapping. Which two statements are true regarding a PPP connection between two Cisco routers? What is the purpose for the shared secret password? Explanation: A double-tagging (or double-encapsulated) VLAN hopping attack takes advantage of the way that hardware on most switches operates. (Choose two.). Feature Summary - A list of features included in VPP. Split the traffic between the 2.4 GHz and 5 GHz frequency bands. ), What is used to pre-populate the adjacency table on Cisco devices that use CEF to process packets? CCNA 2 v7 Modules 7 9: Available and Reliable Networks Exam Answers, CCNA 2 v7 Modules 14 16: Routing Concepts and Configuration Exam Answers, Modules 1 - 3: Basic Network Connectivity and Communications Exam Answers, Modules 4 - 7: Ethernet Concepts Exam Answers, Modules 8 - 10: Communicating Between Networks Exam Answers, Modules 11 - 13: IP Addressing Exam Answers, Modules 14 - 15: Network Application Communications Exam Answers, Modules 16 - 17: Building and Securing a Small Network Exam Answers, Modules 1 - 4: Switching Concepts, VLANs, and InterVLAN Routing Exam Answers, Modules 5 - 6: Redundant Networks Exam Answers, Modules 7 - 9: Available and Reliable Networks Exam Answers, Modules 10 - 13: L2 Security and WLANs Exam Answers, Modules 14 - 16: Routing Concepts and Configuration Exam Answers, Modules 1 - 2: OSPF Concepts and Configuration Exam Answers, Modules 3 - 5: Network Security Exam Answers, Modules 9 - 12: Optimize, Monitor, and Troubleshoot Networks Exam Answers, Modules 13 - 14: Emerging Network Technologies Exam Answers, 15.1.8 Check Your Understanding Static Routes Answers, 3.2.8 Packet Tracer Investigate a VLAN Implementation (Instructions Answer), 15.6.2 Lab Configure IPv4 and IPv6 Static and Default Routes (Answers), 4.4.9 Lab Troubleshoot Inter-VLAN Routing (Answers), CCNA 2 v7.0 Curriculum: Module 10 LAN Security Concepts, 4.5.1 Packet Tracer Inter-VLAN Routing Challenge (Instructions Answer), 8.1.5 Check Your Understanding IPv6 GUA Assignment Answers, 3.5.6 Check Your Understanding Dynamic Trunking Protocol Answers, 4.4.8 Packet Tracer Troubleshoot Inter-VLAN Routing (Instructions Answer), CCNA1 v7.0: ITN Practice PT Skills Assessment (PTSA) Answers, ITN (Version 7.00) Final PT Skills Assessment (PTSA) Exam Answers, CCNA 2 v7 Modules 10 13: L2 Security and WLANs Exam Answers. The command output displays that the encapsulation is PPP and that the LCP is open. Because there are no matches for line 10, the ACL is not working. Which two Cisco solutions help prevent DHCP starvation attacks? Phase 1 Verification. If a port security violation had occurred, a different error message appears such asSecure-shutdown. Explanation: ThePort Securityline simply shows a state ofEnabledif theswitchport port-securitycommand (with no options) has been entered for a particular switch port. GRE over IPSEC VPN and OSPF dynamic routing protocol configuration included. 35. Bandwidth is allocated to channels based on whether a station has data to transmit. A laptop cannot connect to a wireless access point. Requiring the users to switch to the 5 GHz band for streaming media is inconvenient and will result in fewer users accessing these services. 142. 80. It provides some basic settings and menus that users can quickly access to implement a variety of common configurations. Which access control component, implementation, or protocol controls who is permitted to access a network? What are two characteristics of video traffic? 227. Explanation: DAI can be configured to check for both destination or source MAC and IP addresses: 14. Which type of traffic would most likely have problems when passing through a NAT device? 49. SSH encrypts data communications between two network devices. 41. Which solution is the best method to enhance the performance of the wireless network? How to find: Press Ctrl + F in the browser and fill in whatever wording is in the question to find that question/answer. Refer to the exhibit. blackarch-tunnel : ip-tracer: 91.8e2e3dd: Track and retrieve any ip address information. (Choose two.). They can provide statistics on TCP/IP packets that flow through Cisco devices. What will be the inside global address of packets from PC-A after they are translated by R1? (Choose two.). 77. PPP can only be used between two Cisco devices. 13. 24. 23. R1 will not send critical system messages to the server until the command debug all is entered. 39. 52. A company connects to one ISP via multiple connections. 32 Which access control component, implementation, or protocol controls who is permitted to access a network? What is a simple way to achieve a split-the-traffic result? Add a Wi-Fi range extender to the WLAN and set the AP and the range extender to serve different bands. Make sure that different SSIDs are used for the 2.4 GHz and 5 GHz bands. Check and keep the firmware of the wireless router updated. Require all wireless devices to use the 802.11n standard. 119. Which type of wireless network often makes use of devices mounted on buildings? A corporation is searching for an easy and low cost solution to provide teleworkers with a secure connection to headquarters. Which component of AAA is used to determine which resources a user can access and which operations the user is allowed to perform? Which pillar of the Cisco IoT System allows data to be analyzed and managed at the location where it is generated? Point-to-point links are generally the least expensive type of WAN access. 1. Which type of wireless network uses transmitters to cover a medium-sized network, usually up to 300 feet (91.4 meters)? Which port security configuration enabled this? What are the two methods that are used by a wireless NIC to discover an AP? If you are looking for tasks to pick up as 'Starter Tasks' to start contributing, we keep a list of those in Jira. It ensures that the data is coming from the correct source. Explanation: BPDU guard can be enabled on all PortFast-enabled ports by using the spanning-tree portfast bpduguard default global configuration command. Repository: git clone https://gerrit.fd.io/r/vpp (Choose two.). Explanation: The devices involved in the 802.1X authentication process are as follows: 10. 159. If you want to access GUI/CLI from this IP address, you need to disable the packet filter. The ISP can only supply five public IP addresses for this network. Explanation: Manual configuration of the single allowed MAC address has been entered for port fa0/12. Which algorithm assures the highest level of confidentiality for data crossing the VPN? Question 103 needs the second answer colored red. Manage SettingsContinue with Recommended Cookies. A network engineer has issued the show interfaces serial 0/0/0 command on a router to examine the open NCPs on a PPP link to another router. 25. Which three subinterface commands could be used to complete the configuration? 23. What is one advantage to designing networks in building block fashion for large companies? What term describes the cause of this condition? Placing unused ports in an unused VLAN prevents unauthorized wired connectivity. Configure a common SSID for both split networks. Cisco Packet Tracer allows IPSEC VPN configuration between routers. 92. 18. An administrator wants to configure a router so that users on the outside network can only establish HTTP connections to the internal web site by navigating to http://www.netacad.com:8888. What is a primary function of the Cisco IOS IP Service Level Agreements feature? Explanation: In a small network with a few network devices, AAA authentication can be implemented with the local database and with usernames and passwords stored on the network devices. What is the function of a QoS trust boundary? A network administrator is asked to design a system to allow simultaneous access to the Internet for 250 users. Which two parameters would have to be configured to do this? Which step should the technician take next? (Choose two.). You can see we have some additonal information here like mac address, ip id, ttl etc. Use VPP as a Router Between Namespaces - An example configuration of the VPP platform as a router. Enable CDP on edge devices, and enable LLDP on interior devices. This keyword enables you to check the output of packet tracer for each packet, note that this will show packet tracer output only for inbound packets. The 5510 ASA device is the second model in the ASA series (ASA 5505, 5510, 5520 etc) and 175. Which statement describes a characteristic of standard IPv4 ACLs? 80. Which type of wireless network is suitable for providing wireless access to a city or district? A laptop cannot connect to a wireless access point. The LCP establishment phase will not start until the bandwidth reaches 70 percent or more. Refer to the exhibit. 185. 228. 50. Configure devices to use a different channel. Which feature on a switch makes it vulnerable to VLAN hopping attacks? The same encryption keys must be manually configured on each device. Which IPv6 packets from the ISP will be dropped by the ACL on R1? Which algorithm is considered insecure for use in IPsec encryption? They should not be enabled on edge devices, and should be disabled globally or on a per-interface basis if not required. 215. 113. Refer to the exhibit. A network administrator is configuring DAI on a switch with the command ip arp inspection validate src-mac . Refer to the exhibit. We will update answers for you in the shortest time. 234. Open the PT Activity. 60. 7. A SNMP manager is using the community string of snmpenable and is configured with the IP address 172.16.10.1. 12. Although clients have to manually identify the SSID to be connected to the network, the SSID can be easily discovered. Thank you a lot!!! 226. Based on the partial output of the show running-config command, what is the cause of the problem? 222. Hey! CCNA 2 v7 Modules 10 13: L2 Security and WLANs Exam Answers 55. (Choose two.). 122. The NCP will send a message to the sending device if the link usage reaches 70 percent. Use VPP to Connect VMs Using Vhost-User Interface - An example of connecting two virtual machines using VPP L2 Bridge and vhost-user interfaces. Would love your thoughts, please comment. The username r1 should be configured on the router R1 and the username r2 should be configured on the router R2. What function is provided by Multilink PPP? 174. -It checks the source MAC address in the Ethernet header against the target MAC address in the ARP body. Unfortunately I am not well versed with Cisco WSA or ESA so not sure how much I can help here. 231. 199. (Choose three. It provides wireless data transmission over large urban areas. 163. Users have to use company-owned computers. Explanation: The violation mode can be viewed by issuing the show port-security interface command. They can be created with a number but not with a name. -Ensure that the NIC is configured for the proper frequency.-Ensure that the correct network media is selected.-Ensure that the laptop antenna is attached.-Ensure that the wireless NIC is enabled.-Ensure that the wireless SSID is chosen. The only users that can switch to the 5 GHz band will be those with the latest wireless NICs, which will reduce usage. Denied new tunnel to IP_address. Find below: When SNMPv1 or SNMPv2 is being used, which feature provides secure access to MIB objects? What is a feature of physical point-to-point WAN links? How many ports among switches should be assigned as trusted ports as part of the DHCP snooping configuration? What type of information is collected by Cisco NetFlow? How to find: Press Ctrl + F in the browser and fill in whatever wording is in the question to find that question/answer. Explanation: When DHCP snooping is being configured, the number of DHCP discovery messages that untrusted ports can receive per second should be rate-limited by using the ip dhcp snooping limit rate interface configuration command. 18. 178. 2. 9. Refer to the exhibit. The security policy in a company specifies that the staff in the sales department must use a VPN to connect to the corporate network to access the sales data when they travel to meet customers. The computers used by the network administrators for a school are on the 10.7.0.0/27 network. Configure PPP multilink interfaces on each router. Refer to the exhibit. Messages that are sent to the syslog server will be limited to levels 3 and higher. 51. Perform the tasks in the activity instructions and then answer the question. When users access high bandwidth services such as streaming video, the wireless network performance is poor. Which two commands are needed at a minimum to apply an ACL that will ensure that only devices that are used by the network administrators will be allowed Telnet access to the routers? Some of our partners may process your data as a part of their legitimate business interest without asking for consent. It provides a stronger authentication mechanism. Which two statements describe remote access VPNs? SSIDs are very difficult to discover because APs do not broadcast them.. VPP video tutorials (collection of short video tutorials). Refer to the exhibit. What is an advantage of SSID cloaking?. Which three flows associated with consumer applications are supported by NetFlow collectors? 55. The default action of shutdown is recommended because the restrict option might fail if an attack is underway. Whichtwo types of devices are specific to WAN environments and are not found ona LAN? 06:42 PM, Packet capture is a activity of capturing data packets crossing networking devices, There are 2 types - Partial packet capture and Deep packet capture, Partial packet capture just record headers without recording content of datagrams, used for basic troubleshooting upto L4. Encryption, Authentication parameters are used to encrypt the VPN as well as Network Traffic. Which statement applies to the password choice? (Not all options are used. What is the probable cause of this problem? ), 235. Open the PT Activity. How many 64 kb/s voice channels are combined to produce a T1 line? Replacing the wireless NICs will not necessarily correct the network being slow and it could be expensive for the company. What would be the primary reason an attacker would launch a MAC address overflow attack? What address translation is performed by static NAT? If ENCRYPT:DROP seen in packet-tracer. to allow forwarding of IPv6 multicast packets, packets that are destined to PC1 on port 80, neighbor advertisements that are received from the ISP router. To view the purposes they believe they have legitimate interest for, or to object to this data processing use the vendor list link below. Hi, folksHere a few more questions from my Modules 10 13: L2 Security and WLANs Exam, which missing here. If the wireless NIC is enabled, the correct media, radio, will be used. 18. No one is allowed to disconnect the IP phone or the PC and connect some other wired device.If a different device is connected, port Fa0/2 is shut down.The switch should automatically detect the MAC address of the IP phone and the PC and add those addresses to the running configuration. Explanation: Mitigating a VLAN attack can be done by disabling Dynamic Trunking Protocol (DTP), manually setting ports to trunking mode, and by setting the native VLAN of trunk links to VLANs not in use. Which Cisco Easy VPN component needs to be added on the Cisco router at the remote office? Packets with unknown source addresses will be dropped. Which feature sends simulated data across the network and measures performance between multiple network locations? Enable PPP encapsulation on the multilink interface. Thanks for the great work you have done: You can make the missing chapters of CCNA 2 version 7 available. Which three values or sets of values are included when creating an extended access control list entry? The help-desk technician asks the user to enter the IP address of the web server to see if the page can be displayed. What is missing from the configuration that would be preventing OSPF routing updates from passing to the Frame Relay service provider? Which WAN protocol is being used on the link? However, the link cannot be established. Which command sequence will place this list to meet these requirements? (Choose two.). (Choose two.). The company handbook states that employees cannot have microwave ovens in their offices. Why might H1 not be able to successfully ping H4 and H5? 121. Dishes, directional, and Yagi antennas focus the radio signals in a single direction, making them less suitable for covering large, open areas. As traffic is forwarded out an egress interface with QoS treatment, which congestion avoidance technique is used? 1/ Setup an ACL that will specify which interesting traffic will be allowed to pass through the tunnel. Refer to the exhibit. 187. Router R1 does not have a route to the destination network. (Choose two.). A high-level redundancy at the access layer may be better implemented if the number of connected devices is known., one of the layered troubleshooting approaches. It provides Layer 3 support for long distance data communications. The network administrator does not want any other host to connect to the web server except for the one test computer. H2 and H3 can ping H4 and H5. Refer to the exhibit. 2 and 2289 and 61 and 10744 and 8652 and 14554 and 22662 and 109. Cisco Packet Tracer 7.3 Free Download (Offline Installers) How to deploy FortiGate Virtual Firewall in GNS3; How to enable SSH on Ubuntu | 16.04 | 18.04; Summary. Using Multiprotocol Label Switching (MPLS), your data is completely isolated from other businesses and the Internet without using encryption. Ensure that the NIC is configured for the proper frequency. (Choose three.). In order to verify whether IKEv1 Phase 1 is up on the ASA, enter the show crypto isakmp sa command. Not the one with questions, i mean the one with packet tracer. Which ones will be on the test? What is the purpose of the generic routing encapsulation tunneling protocol? What does the engineer need to configure to open the IPV6CP NCP on the link? Excess traffic is retained in a queue and scheduled for later transmission over increments of time. (Choose two.). 129. 34. Which technology requires the use of PPPoE to provide PPP connections to customers? 225. A user reports that when the corporate web page URL is entered on a web browser, an error message indicates that the page cannot be displayed. wireless metropolitan-area networkwireless personal-area networkwireless local-area networkwireless wide-area network. By the use of sequence numbers, which function of the IPsec security services prevents spoofing by verifying that each packet is non-duplicated and unique? What two IEEE 802.11 wireless standards operate only in the 5 GHz range? 128. 67. ASA: Using Packet Capture to troubleshoot ASA Firewall : Configuration and Scenario's, Customers Also Viewed These Support Documents, http://www.iana.org/assignments/ethernet-numbers, There is something wrong in the config the tunnel was never initiated, Apply captures between the peer ip's and check that there is 2 way traffic for, If you see 2 way traffic for ESP or AH check if you see encap's/decap's in the output of, If any of the device is behind a nat device and nat traversal is enabled you will capture packets for, Most of the above is applicable to this as well, just one addition and that is sometimes we might use tcp 10000 for phase 2, so as i said before it is very important to know what traffic we are trying to capture in order to make troubleshooting easy using packet capture. A new 802.11n/ac dual-band router has been deployed on the network to replace the old 802.11g router. 106. Which statement describes the status of the PPP connection? Refer to the exhibit. A WAN is a LAN that is extended to provide secure remote network access. Create a second access list denying the host and apply it to the same interface. does not scale well to provide high speed WAN connections, requires multiple interfaces on the edge router to support multiple VCs, identifying fault conditions for the PPP link, providing multilink capabilities over the PPP link, enhancing security by providing callback over PPP, managing authentication of the peer routers of the PPP link. A network administrator has noticed an unusual amount of traffic being received on a switch port that is connected to a college classroom computer. The inside local IP address of PC-A is 192.168.0.200. ), 191. Which two hypervisors are suitable to support virtual machines in a data center? When a guest speaker attempts to connect to the network, the laptop fails to display any available wireless networks. Explanation: CAPWAP is an IEEE standard protocol that enables a WLC to manage multiple APs and WLANs. (Choose two.). If any of the FastEthernet ports 5 through 10 receive more than 6 DHCP messages per second, the port will be shut down. Perform the tasks in the activity instructions and then answer the question.Which event will take place if there is a port security violation on switch S1 interface Fa0/1?The interface will go into error-disabled state. Fill in the blanks. Configure CHAP authentication on each router. What could be the reason that the Fa0/2 interface is shutdown? This page has been accessed 250,017 times. empty > TCP traffic is throttled to prevent tail drop. Why might this solution improve the wireless network performance for that type of service? Disable the wireless network SSID broadcast. IPSEC VPN configuration lab on Cisco 2811 ISR routers using Cisco Packet Tracer 7.3. The network administrator that has the IP address of 10.0.70.23/25 needs to have access to the corporate FTP server (10.0.54.5/28). 177. Explanation: The 802.11a and 802.11ac standards operate only in the 5 GHZ range. DHCP versus static addressing should have no impact of the network being slow and it would be a huge task to have all users assigned static addressing for their wireless connection. It is used to authenticate and encrypt user data on the WLAN. How can an administrator configure a Cisco Easy VPN Server to enable the company to manage many remote VPN connections efficiently? The VPN connection is not statically defined. What mechanism compensates for jitter in an audio stream by buffering packets and then replaying them outbound in a steady stream? What action can a network administrator take to help mitigate the threat of VLAN attacks? The passwords for CHAP should be in lowercase. Build System Deep Dive - A close look at the components of the build system. 64. Which type of wireless network is suitable for national and global communications? The port violation mode is the default for any port that has port security enabled. 141. Note: On the ASA, the packet-tracer tool that matches the traffic of interest can be used in order to initiate the IPSec tunnel (such as packet-tracer input inside tcp 192.168.1.100 12345 192.168.2.200 80 detailed for example). 63. What are three techniques for mitigating VLAN attacks? For any security appliance performing tcp checks it is important that it see's both sides of traffic. The company is implementing the Cisco Easy VPN solution. Explain: On a Cisco switch, an interface can be configured for one of three violation modes, specifying the action to be taken if a violation occurs:Protect Packets with unknown source addresses are dropped until a sufficient number of secure MAC addresses are removed, or the number of maximum allowable addresses is increased. Therefore, PC1 must have a different MAC address than the one configured for port Fa0/2. What device is considered a supplicant during the 802.1X authentication process? (Choose two.). 43. Which step is required before creating a new WLAN on a Cisco 3500 series WLC? there are 2 ways of doing this, For this you need to enable http server on your ASA and you need to know the credentials used to access asa via asdm (default is no username no password), asa(config)# crypto key generate rsa modulus 1024, Note: This is for creating keys because we communicate with asa via https, if you have ssh access you probably have these keys, Once you have enabled http server on asa go to your browser and give the following in the url field, https:///capture//pcap, if it is in multiple context mode you have to specify the context, https:///capture///pcap, After you enter this you will be prompted for username password and once you enter that the captures are stored on your PC and you can open them in a packet anaylser tool, As metioned before in some cases you might need to capture packets on devices directly connected to asa and in most cases it is a switch connected to ASA and in such cases you can also span the switchport to collect captures, Here is a link which will help you setup a span on your catalyst switch, http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml#config, Once done always make sure that you remove the captures using the command, To verify if ASA is dropping any packet - simple connectivity issues, access-list capi extended permit ip host 192.168.1.2 host 4.2.2.2, access-list capi extended permit ip host 4.2.2.2 host 192.168.1.2, capture capin interface inside access-list capi, capture capin interface inside match ip host 192.168.1.2 host 4.2.2.2, [this is possible in asa 8.0 and above and we do not need to be in config mode to put apply an capture], access-list capo extended permit ip host a.b.c.d host 4.2.2.2, access-list capo extended permit ip host 4.2.2.2 host a.b.c.d, capture capout interface outside access-list capo, capture capout interface outside match ip host a.b.c.d host 4.2.2.2, [Note that we are using the natted ip - so for capture use the ip addresses that you expect to see on the wire after all processing is done for egress interface and before any processing is done for ingress interface], We can also apply capture using ASDM and the below screen shots show the steps for that, 192.168.1.2 > 4.2.2.2: icmp: echo request, So you can see we have captured bidirectional traffic, If you want to see more details you can use the detailed keyword at the end, 000c.29d6.7dca 0026.0b09.420c 0x0800 74: 192.168.1.2 > 4.2.2.2: icmp: echo request (ttl 128, id 52241), 0026.0b09.420c 000c.29d6.7dca 0x0800 74: 4.2.2.2 > 192.168.1.2: icmp: echo reply (ttl 127, id 16992), 000c.29d6.7dca 0026.0b09.420c 0x0800 74: 192.168.1.2 > 4.2.2.2: icmp: echo request (ttl 128, id 52242), 0026.0b09.420c 000c.29d6.7dca 0x0800 74: 4.2.2.2 > 192.168.1.2: icmp: echo reply (ttl 127, id 16993), 000c.29d6.7dca 0026.0b09.420c 0x0800 74: 192.168.1.2 > 4.2.2.2: icmp: echo request (ttl 128, id 52243), 0026.0b09.420c 000c.29d6.7dca 0x0800 74: 4.2.2.2 > 192.168.1.2: icmp: echo reply (ttl 127, id 17008), 000c.29d6.7dca 0026.0b09.420c 0x0800 74: 192.168.1.2 > 4.2.2.2: icmp: echo request (ttl 128, id 52244), 0026.0b09.420c 000c.29d6.7dca 0x0800 74: 4.2.2.2 > 192.168.1.2: icmp: echo reply (ttl 127, id 17251), 0026.0b09.420d 0022.556d.f140 0x0800 74: a.b.c.d > 4.2.2.2: icmp: echo request (ttl 128, id 52241), 0022.556d.f140 0026.0b09.420d 0x0800 74: 4.2.2.2 > a.b.c.d: icmp: echo reply (ttl 127, id 16992), 0026.0b09.420d 0022.556d.f140 0x0800 74: a.b.c.d > 4.2.2.2: icmp: echo request (ttl 128, id 52242), 0022.556d.f140 0026.0b09.420d 0x0800 74: 4.2.2.2 > a.b.c.d: icmp: echo reply (ttl 127, id 16993), 0026.0b09.420d 0022.556d.f140 0x0800 74: a.b.c.d > 4.2.2.2: icmp: echo request (ttl 128, id 52243), 0022.556d.f140 0026.0b09.420d 0x0800 74: 4.2.2.2 > a.b.c.d: icmp: echo reply (ttl 127, id 17008), 0026.0b09.420d 0022.556d.f140 0x0800 74: a.b.c.d > 4.2.2.2: icmp: echo request (ttl 128, id 52244), 0022.556d.f140 0026.0b09.420d 0x0800 74: 4.2.2.2 > a.b.c.d: icmp: echo reply (ttl 127, id 17251).