Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
150574
Views
25
Helpful
3
Comments

Troubleshooting Access Problems Using Packet-Tracer

Travis Williams
Community Member

‎07-03-2009 01:59 AM - edited ‎03-08-2019 06:29 PM

Troubleshooting access problems through a firewall is often very difficult, especially when speed to resolution is critical. Errors in long complex ACLs can be easily overlooked, and access failures caused by NAT, IDS, and routing make the problem even more difficult.

Cisco has released an incredible new feature in ASA software version 7.2(1) that virtually eliminates the guesswork. Packet-tracer allows a firewall administrator to inject a virtual packet into the security appliance and track the flow from ingress to egress. Along the way, the packet is evaluated against flow and route lookups, ACLs, protocol inspection, NAT, and IDS. The power of the utility comes from the ability to simulate real-world traffic by specifying source and destination addresses with protocol and port information.

Packet-tracer is available both from the CLI and in the ASDM. The ASDM version even includes animation (the value of which is questionable, but it is fun to watch), and the ability to navigate quickly to a failed policy.

Here is the CLI syntax:

 packet-tracer input [src_int] protocol src_addr src_port dest_addr  dest_port [detailed] [xml]

A few examples of truncated output show some of the most useful features. Not only does the tool show the result of an ACL evaluation, but also the specific ACE that either permits or denies the packet, including a hit on the implicit deny.


asaTestlab# "packet-tracer input inside tcp 10.1.1.1 1024 10.4.1.1 23"

Phase: 3
 Type: ACCESS-LIST
 Subtype: log
 Result: ALLOW
 Config: access-group inside in interface inside access-list inside extended permit ip any 10.4.1.0 255.255.255.0

Additional Information:


asaTestlab# "packet-tracer input inside tcp 10.1.1.1 1024 10.4.2.1  5282"

Phase: 3
 Type: ACCESS-LIST
 Subtype: log
 Result: DROP
 Config:  access-group inside in interface inside access-list inside extended deny tcp any host 10.4.2.1 eq 5282

Additional Information:

Evaluations of other elements of the config are similarly specific. Here is an example with nat-control enabled but without proper address translation defined:

asaTestlab# "packet-tracer input DMZ tcp 10.2.1.1 1024 10.4.2.1 http"

Phase: 7
 Type: NAT
 Subtype:
 Result: DROP
 Config:
 nat (DMZ) 0 access-list NoNAT
 nat-control
    match ip DMZ any outside any
       no translation group, implicit deny
       policy_hits = 1

Additional Information:

- Kevin Miller, Herman Miller, Inc., Zeeland, Michigan, USA

Packet-tracer does more than just inject a 'virtual'  packet into the data-plane. One can also add the 'trace' option to  the capture command, so that actual packets the security appliance  receives (which are matched by the capture) are also traced.

Example:  ASA# "capture mycap access-list 199 interface outside trace"

To view the packet-trace from captured packet #3 in the capture, use the command:  ASA# "show capture mycap trace packet-number 3"

To receive the latest information on Cisco online tools, certifications, support documentation, insights from Cisco experts and peers, and upcoming events, check out the Cisco Technical Services Newsletter today.

Labels:
Comments
Matias Ortiz
Level 1
Level 1
‎10-13-2016 10:26 AM

Hi, thanks for the post. These are helpful tools.

The link Cisco Technical Services Newsletter doesn't work for me, do you know if changed?

Regards.-

Travis Williams
Community Member
‎10-13-2016 10:34 AM

Hi Matias,

You're welcome!

Unfortunately, the Cisco Technical Services Newsletter was retired in 2014. My apologies for the inconvenience.

Thank you,

Travis

DarylBrooks
Level 1
Level 1
‎01-26-2017 09:17 AM

I know this is a post on an old thread, however when I run the packet tracer I receive the below:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaca4b278, priority=11, domain=permit, deny=true
hits=1356658853, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

How can I decipher the hex ID for the access-list that is causing the packets to be dropped, as there is not a line with that Hex value from what I can see in the config.

Thanks,

Daryl

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents