Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Basic Troubleshooting For traffic through ASA Firewall

Here are some basic ASA firewall troubleshooting tips for network traffic passing through the ASA. You can use the commands for basic checks on ASA firewalls.
 
Task1 : How to check interfaces and security levels in ASA firewall
 
1.       Login to ASA firewall and go to enable mode
 
FWL001/act/pri> en
Password: *********
FWL001/act/pri#
 
2.       Use the below commands to check the status of the interfaces
 
FWL001/act/pri# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         unassigned      YES unset  down                  down
GigabitEthernet0/1         unassigned      YES unset  administratively down down
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
GigabitEthernet0/4         unassigned      YES unset  administratively down down
GigabitEthernet0/5         unassigned      YES unset  administratively down down
GigabitEthernet0/6         unassigned      YES unset  administratively down down
GigabitEthernet0/7         unassigned      YES unset  administratively down down
TenGigabitEthernet1/0.1    10.100.1.1       YES CONFIG up                    up
TenGigabitEthernet1/0.2    10.100.2.1      YES CONFIG up                    up
TenGigabitEthernet1/0.3    10.100.3.1      YES CONFIG up                    up
TenGigabitEthernet1/0.4    10.100.4.1      YES CONFIG up                    up

 
FWL001/act/pri# show ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Management0/0            management             10.1.1.10    255.255.255.248 CONFIG
TenGigabitEthernet1/0.1  pub             10.100.1.1       255.255.255.0 CONFIG
TenGigabitEthernet1/0.2  prim             10.100.2.1      255.255.255.0 CONFIG
TenGigabitEthernet1/0.3  acs              10.100.3.1      255.255.255.0 CONFIG
TenGigabitEthernet1/0.4  priv             10.100.4.1      255.255.255.0 CONFIG

 
FWL001/act/pri# show nameif
Interface                  Name                     Security
Management0/0              management               100
TenGigabitEthernet1/0.1    pub              85
TenGigabitEthernet1/0.2    prim                80
TenGigabitEthernet1/0.3    acs                100
TenGigabitEthernet1/0.4    priv                95

Task 2 : How to check Routes and arp on the ASA firewall.
 
1.       Check active route in routing table for a particular destination
 
FWL001/act/pri# show route 10.100.4.9
 
Routing entry for 10.100.4.0 255.255.255.0
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via priv
      Route metric is 0, traffic share count is 1
 
2.       Check if the route is present in running configuration for a specific destination
 
FWL001/act/pri# show run route | include 10.70.4.9
route priv 10.70.4.9 255.255.255.255 10.100.4.2
 
3.       Check if the designation is on directly connected on Layer2 segment and if it’s ARP is learnt on the firewall
FWL001/act/pri# show arp | include 10.100.4.9
        priv 10.100.4.9 0050.5696.7e49 59

Task 3 : Capture  packets on ASA interface to check if the packets are seen on ASA for a specific source and destination
 
1.       Find the source and destination IP / subnet and if possible the TCP/ UDP ports involved
2.       Apply captures on incoming interface to check if the packets are arriving from source and then apply it on outgoing interface to see if the packets are sent out
 
FWL001 # capture <name of capture> interface <name of interface>match ip host <source ip> host <destination ip>
 
For more options use ? at each option on the firewall command line interface
 
Example
 
FWL001/act/pri# capture mycap interface priv match ip host 172.22.161.78 host 10.70.4.9
 
3.       Check the captures on CLI
 
FWL001/act/pri# show cap <name of capture>
 
FWL001/act/pri# show cap mycap
 
19 packets captured
 
   1: 09:05:04.909544       802.1Q vlan#681 P6 172.22.161.78.51202 > 10.70.4.9.21: . ack 4084884520 win 3893
   2: 09:05:04.909758       802.1Q vlan#681 P0 10.70.4.9.21 > 172.22.161.78.51202: . ack 1611391851 win 14600
   3: 09:06:04.945507       802.1Q vlan#681 P6 172.22.161.78.51202 > 10.70.4.9.21: . ack 4084884520 win 3893
   4: 09:06:04.945736       802.1Q vlan#681 P0 10.70.4.9.21 > 172.22.161.78.51202: . ack 1611391851 win 14600
   5: 09:07:04.764761       802.1Q vlan#681 P0 10.70.4.9.21 > 172.22.161.78.51202: P 4084884520:4084884534(14) ack 1611391851 win 14600
   6: 09:07:04.767477       802.1Q vlan#681 P0 10.70.4.9.21 > 172.22.161.78.51202: F 4084884534:4084884534(0) ack 1611391851 win 14600
   7: 09:07:04.802738       802.1Q vlan#681 P6 172.22.161.78.51202 > 10.70.4.9.21: . ack 4084884535 win 3879
   8: 09:07:04.804279       802.1Q vlan#681 P6 172.22.161.78.51202 > 10.70.4.9.21: FP 1611391851:1611391851(0) ack 4084884535 win 3879
   9: 09:07:04.804417       802.1Q vlan#681 P0 10.70.4.9.21 > 172.22.161.78.51202: . ack 1611391852 win 14600
  10: 12:02:38.681269       802.1Q vlan#681 P0 172.22.161.78 > 10.70.4.9: icmp: echo request
  11: 12:02:38.681605       802.1Q vlan#681 P0 10.70.4.9 > 172.22.161.78: icmp: echo reply
  12: 12:02:38.721489       802.1Q vlan#681 P0 172.22.161.78 > 10.70.4.9: icmp: echo request
  13: 12:02:38.721611       802.1Q vlan#681 P0 10.70.4.9 > 172.22.161.78: icmp: echo reply
  14: 12:02:38.761557       802.1Q vlan#681 P0 172.22.161.78 > 10.70.4.9: icmp: echo request
  15: 12:02:38.761648       802.1Q vlan#681 P0 10.70.4.9 > 172.22.161.78: icmp: echo reply
  16: 12:02:38.801640       802.1Q vlan#681 P0 172.22.161.78 > 10.70.4.9: icmp: echo request
  17: 12:02:38.801731       802.1Q vlan#681 P0 10.70.4.9 > 172.22.161.78: icmp: echo reply
  18: 12:02:38.841707       802.1Q vlan#681 P0 172.22.161.78 > 10.70.4.9: icmp: echo request
  19: 12:02:38.841814       802.1Q vlan#681 P0 10.70.4.9 > 172.22.161.78: icmp: echo reply
19 packets shown
 
4.       Export the capture from firewall to view in wireshark
 
Using the https
 
If you have enabled http server on asa go to your browser and give the following in the url field

  https://<ip address of asa>/capture/<capname>/pcap

 
Export via copy command

copy /pcap capture:

disk
flash
ftp
smb
system
tftp
 
Example
 
FWL001/act/pri# copy /pcap capture: flash:
 
Source capture name []? mycap
 
Destination filename [mycap]? mycap
!
19 packets copied in 0.10 secs

Task 4 : Capture IPv6 traffic on ASA firewall
 
1.       Configure access-list with source and destination IP/ subnet
ASA1(config)# show access-list test-cap
 
access-list test-cap extended permit ip host 2005:200:802:689::1 any6
 
2.       Apply the ACL in capture
 
FWL001(config)# show cap
capture test access-list test-cap interface outside
 
3.       Send test traffic
 
FWL001(config)# ping outside 2005:200:802:689::6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2005:200:802:689::6, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
 
4.       View the capture
 
FWL001(config)# show cap test
 
9 packets captured
 
   1: 10:31:56.217441       2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
   2: 10:31:57.210285       2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
   3: 10:31:58.209950       2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
   4: 10:32:00.209950       2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
   5: 10:32:01.209904       2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
   6: 10:32:02.209950       2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
   7: 10:32:04.209950       2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
   8: 10:32:05.209904       2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
   9: 10:32:06.209965       2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
9 packets shown

Task 5 : Troubleshooting Access Problems Using Packet-Tracer
 
Packet-tracer is available both from the CLI and in the ASDM. The ASDM version includes and the ability to navigate quickly to a failed policy.
 
Here is the CLI syntax:
 
#packet-tracer input [src_int] protocol src_addr src_port dest_addr  dest_port [detailed]
 
A examples output is shown below. This tool shows some of the most useful features. Not only does the tool show the result of an ACL evaluation, but also the specific ACE that either permits or denies the packet, including a hit on the implicit deny.
 
FWL001#packet-tracer input pub tcp 10.140.0.17 1002 10.70.4.46 1002 det
 
Phase: 1
Type: CAPTURE  There is a capture setup for this traffic
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x7fffc26734a0, priority=13, domain=capture, deny=false
        hits=14633546662, user_data=0x7fffc2705270, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=pub, output_ifc=any
 
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x7fff96dd8fa0, priority=1, domain=permit, deny=false
        hits=51585156773, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=pub, output_ifc=any
 
Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.100.4.2 using egress ifc  priv
 
Phase: 4
Type: ACCESS-LIST <- Ingress interface  ACL check
Subtype: log
Result: ALLOW
Config:
access-group pub_access_in in interface pub
access-list pub_access_in extended permit tcp object-group HP_HG object H_AD object-group HP_SERVICES
access-list pub_access_in remark Discription: HP connectivity
object-group network HP_HG
network-object object H_10.140.0.14
network-object object H_10.140.0.12
network-object object H_10.140.0.17
network-object object H_10.140.0.18
object-group service HP_SERVICES tcp
port-object eq 1002
port-object eq 3001
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x7fffcaa13670, priority=13, domain=permit, deny=false
        hits=9, user_data=0x7fff9c531440, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=10.140.0.17, mask=255.255.255.255, port=0, tag=any
        dst ip/id=10.70.4.46, mask=255.255.255.255, port=1002, tag=any, dscp=0x0
        input_ifc=pub, output_ifc=any
 
Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
  set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x7fff85712500, priority=7, domain=conn-set, deny=false
        hits=1584067435, user_data=0x7fff856f7810, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=pub, output_ifc=any
 
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x7fffb53214a0, priority=0, domain=nat-per-session, deny=false
        hits=2548149073, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any
 
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x7fff96ddf3b0, priority=0, domain=inspect-ip-options, deny=true
        hits=1484564486, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=pub, output_ifc=any
 
Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x7fff96dd5870, priority=20, domain=lu, deny=false
        hits=1214058922, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=pub, output_ifc=any
 
Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff856dffc0, priority=0, domain=user-statistics, deny=false
        hits=88671632, user_data=0x7fff8ab43b20, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=priv
 
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0x7fffb53214a0, priority=0, domain=nat-per-session, deny=false
        hits=2548149075, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any
 
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0x7fffbedf4c40, priority=0, domain=inspect-ip-options, deny=true
        hits=88125839, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=priv, output_ifc=any
 
Phase: 12
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7fff856e82d0, priority=0, domain=user-statistics, deny=false
        hits=1780977342, user_data=0x7fff8ab43b20, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=pub
 
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2406214503, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
 
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
 
Result:
input-interface: pub
input-status: up
input-line-status: up
output-interface: priv
output-status: up
output-line-status: up
Action: allow

Version history
Revision #:
1 of 1
Last update:
‎11-25-2016 06:58 AM
Updated by:
 
Labels (1)
Everyone's tags (2)