Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
Basic Troubleshooting For traffic through ASA Firewall
Here are some basic ASA firewall troubleshooting tips for network traffic passing through the ASA. You can use the commands for basic checks on ASA firewalls.
Task1 : How to check interfaces and security levels in ASA firewall
1. Login to ASA firewall and go to enable mode
FWL001/act/pri> en Password: ********* FWL001/act/pri#
2. Use the below commands to check the status of the interfaces
FWL001/act/pri# show interface ip brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned YES unset down down GigabitEthernet0/1 unassigned YES unset administratively down down GigabitEthernet0/2 unassigned YES unset administratively down down GigabitEthernet0/3 unassigned YES unset administratively down down GigabitEthernet0/4 unassigned YES unset administratively down down GigabitEthernet0/5 unassigned YES unset administratively down down GigabitEthernet0/6 unassigned YES unset administratively down down GigabitEthernet0/7 unassigned YES unset administratively down down TenGigabitEthernet1/0.1 10.100.1.1 YES CONFIG up up TenGigabitEthernet1/0.2 10.100.2.1 YES CONFIG up up TenGigabitEthernet1/0.3 10.100.3.1 YES CONFIG up up TenGigabitEthernet1/0.4 10.100.4.1 YES CONFIG up up
FWL001/act/pri# show ip System IP Addresses: Interface Name IP address Subnet mask Method Management0/0 management 10.1.1.10 255.255.255.248 CONFIG TenGigabitEthernet1/0.1 pub 10.100.1.1 255.255.255.0 CONFIG TenGigabitEthernet1/0.2 prim 10.100.2.1 255.255.255.0 CONFIG TenGigabitEthernet1/0.3 acs 10.100.3.1 255.255.255.0 CONFIG TenGigabitEthernet1/0.4 priv 10.100.4.1 255.255.255.0 CONFIG
FWL001/act/pri# show nameif Interface Name Security Management0/0 management 100 TenGigabitEthernet1/0.1 pub 85 TenGigabitEthernet1/0.2 prim 80 TenGigabitEthernet1/0.3 acs 100 TenGigabitEthernet1/0.4 priv 95
Task 2 : How to check Routes and arp on the ASA firewall.
1. Check active route in routing table for a particular destination
FWL001/act/pri# show route 10.100.4.9
Routing entry for 10.100.4.0 255.255.255.0 Known via "connected", distance 0, metric 0 (connected, via interface) Routing Descriptor Blocks: * directly connected, via priv Route metric is 0, traffic share count is 1
2. Check if the route is present in running configuration for a specific destination
FWL001/act/pri# show run route | include 10.70.4.9 route priv 10.70.4.9 255.255.255.255 10.100.4.2
3. Check if the designation is on directly connected on Layer2 segment and if it’s ARP is learnt on the firewall FWL001/act/pri# show arp | include 10.100.4.9 priv 10.100.4.9 0050.5696.7e49 59
Task 3 : Capture packets on ASA interface to check if the packets are seen on ASA for a specific source and destination
1. Find the source and destination IP / subnet and if possible the TCP/ UDP ports involved 2. Apply captures on incoming interface to check if the packets are arriving from source and then apply it on outgoing interface to see if the packets are sent out
FWL001 # capture <name of capture> interface <name of interface>match ip host <source ip> host <destination ip>
For more options use ? at each option on the firewall command line interface
FWL001/act/pri# capture mycap interface priv match ip host 172.22.161.78 host 10.70.4.9
A examples output is shown below. This tool shows some of the most useful features. Not only does the tool show the result of an ACL evaluation, but also the specific ACE that either permits or denies the packet, including a hit on the implicit deny.
FWL001#packet-tracer input pub tcp 10.140.0.17 1002 10.70.4.46 1002 det
Phase: 1 Type: CAPTURE There is a capture setup for this traffic Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7fffc26734a0, priority=13, domain=capture, deny=false hits=14633546662, user_data=0x7fffc2705270, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=pub, output_ifc=any
Phase: 13 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 2406214503, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat
Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat
Result: input-interface: pub input-status: up input-line-status: up output-interface: priv output-status: up output-line-status: up Action: allow