cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
213
Views
0
Helpful
1
Replies

How to see ACL traffic is allowed on.

ttpm12345
Level 1
Level 1

ASA on 8.4 code.

I see traffic of interest allowed across the FW but not on the ACL I expected (that ACL has 0 hits).  How can I see the exact rule my specific traffic is allowed on? 

e

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Most often that's due to ACL order causing a more general rule to catch the flow before the more specific one ever sees it. The ASA works on a first match basis.

You can see which your traffic is hitting by using the packet-tracer command. i.e.,

packet-tracer input inside tcp <source IP> <source port> <destination IP> <destination port>

The output will walk the packet processing through the ASA (including any ACL encountered) and display the step-by-step processing decisions.

View solution in original post

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

Most often that's due to ACL order causing a more general rule to catch the flow before the more specific one ever sees it. The ASA works on a first match basis.

You can see which your traffic is hitting by using the packet-tracer command. i.e.,

packet-tracer input inside tcp <source IP> <source port> <destination IP> <destination port>

The output will walk the packet processing through the ASA (including any ACL encountered) and display the step-by-step processing decisions.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: