Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Test ACL to see which ACE is blocking traffic

On the ASA and FWSM, is there a way to check which ACE would be blocking a particular traffic?  I'm looking for a command where I just tell it which ACL is use and feed it the source-ip/port and dest-ip/port.

Thank you in advanced.

Vince

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Test ACL to see which ACE is blocking traffic

Hi,

Well the ASA does have a tool that can easily tell you which ACL rule some traffic hits. Though I guess there is a very small change that you would have so old software that its not supported but I doubt it. This command isnt supported on FWSM however.

On ASA you can use the "packet-tracer" command.

Basically if you want to test traffic incoming from "inside" interface then you could do (IPs and ports are made up)

packet-tracer input inside tcp 10.10.10.10 12345 8.8.8.8 80

Traffic incoming from "outside" could be simulated with

packet-tracer input outside tcp 1.1.1.1 12345

I am not completely sure but on the FWSM (and also ASA side) side you might be able to look at the log message of the blocked connection and look at the very end of the log message that has a sequence of numbers. This might match some ACE in that interfaces ACL when you look at the ACL through with command "show access-list"

For example I made a "deny" rule on my ASA like this

access-list WAN-IN line 1 extended deny ip host 3.3.3.3 any

I then generate traffic from source address 3.3.3.3 to one of my internal IP addresses and ASA generates this log message

Deny tcp src WAN:3.3.3.3/12345 dst LAN:10.0.10.1/80 by access-group "WAN-IN" [0x6131ef0b, 0x0]

I then check my ACLs with "show access-list | inc 6131ef0b" which essentially contains the number sequence I told about earlier. The output is the following and we have found the ACL rule that blocked the connection attempt

ASA# show access-list | inc 6131ef0b

access-list WAN-IN line 1 extended deny ip host 3.3.3.3 any (hitcnt=3) 0x6131ef0b

Hope this helps

Please  do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

2 REPLIES
Super Bronze

Re: Test ACL to see which ACE is blocking traffic

Hi,

Well the ASA does have a tool that can easily tell you which ACL rule some traffic hits. Though I guess there is a very small change that you would have so old software that its not supported but I doubt it. This command isnt supported on FWSM however.

On ASA you can use the "packet-tracer" command.

Basically if you want to test traffic incoming from "inside" interface then you could do (IPs and ports are made up)

packet-tracer input inside tcp 10.10.10.10 12345 8.8.8.8 80

Traffic incoming from "outside" could be simulated with

packet-tracer input outside tcp 1.1.1.1 12345

I am not completely sure but on the FWSM (and also ASA side) side you might be able to look at the log message of the blocked connection and look at the very end of the log message that has a sequence of numbers. This might match some ACE in that interfaces ACL when you look at the ACL through with command "show access-list"

For example I made a "deny" rule on my ASA like this

access-list WAN-IN line 1 extended deny ip host 3.3.3.3 any

I then generate traffic from source address 3.3.3.3 to one of my internal IP addresses and ASA generates this log message

Deny tcp src WAN:3.3.3.3/12345 dst LAN:10.0.10.1/80 by access-group "WAN-IN" [0x6131ef0b, 0x0]

I then check my ACLs with "show access-list | inc 6131ef0b" which essentially contains the number sequence I told about earlier. The output is the following and we have found the ACL rule that blocked the connection attempt

ASA# show access-list | inc 6131ef0b

access-list WAN-IN line 1 extended deny ip host 3.3.3.3 any (hitcnt=3) 0x6131ef0b

Hope this helps

Please  do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

New Member

Test ACL to see which ACE is blocking traffic

Perfect

566
Views
0
Helpful
2
Replies
CreatePlease login to create content