Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to see ACL traffic is allowed on.

ASA on 8.4 code.

I see traffic of interest allowed across the FW but not on the ACL I expected (that ACL has 0 hits).  How can I see the exact rule my specific traffic is allowed on? 

e

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Most often that's due to ACL

Most often that's due to ACL order causing a more general rule to catch the flow before the more specific one ever sees it. The ASA works on a first match basis.

You can see which your traffic is hitting by using the packet-tracer command. i.e.,

packet-tracer input inside tcp <source IP> <source port> <destination IP> <destination port>

The output will walk the packet processing through the ASA (including any ACL encountered) and display the step-by-step processing decisions.

1 REPLY
Hall of Fame Super Silver

Most often that's due to ACL

Most often that's due to ACL order causing a more general rule to catch the flow before the more specific one ever sees it. The ASA works on a first match basis.

You can see which your traffic is hitting by using the packet-tracer command. i.e.,

packet-tracer input inside tcp <source IP> <source port> <destination IP> <destination port>

The output will walk the packet processing through the ASA (including any ACL encountered) and display the step-by-step processing decisions.

46
Views
0
Helpful
1
Replies
CreatePlease login to create content