https://community.cisco.com/t5/network-security/how-best-to-test-asa-configuration/m-p/2104227#M392975 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I guess this mostly depends how complex each context is going to be.</P><P></P><P>The only thing I can think of at the moment would be the "packet-tracer" command on the CLI. Same can be found on the ASDM side also.</P><P></P><P>What this command does is that it shows you what rules/configurations/translations the ASA would apply to the packet if it were to enter the&nbsp; ASA</P><P></P><P>Basic command format is</P><P></P><P><STRONG>packet-tracer input <INTERFACE> <PROTOCOL> <SOURCE ip=""> <SOURCE port=""> <DESTINATION ip=""> <DESTINATION port=""></DESTINATION></DESTINATION></SOURCE></SOURCE></PROTOCOL></INTERFACE></STRONG></P><P></P><P>Where</P><UL><LI>interface = The source interface where the connection would come from</LI><LI>protocol = Usually TCP/UDP/ICMP</LI><LI>source IP = Source IP address for the connection</LI><LI>source port = Random source port for the connection</LI><LI>destination IP = Destination IP address for the connection</LI><LI>destination port = Destination port for the connection</LI></UL><P></P><P></P><P>I personally use the above command to test NAT rules quite often after I've done some changes. I might also use it in cases where I have a large ACL on an interface and want to quickly test if a certain connection would pass the ACL and to which ACL line it would "hit".</P><P></P><P>I used this command quite a lot in my biggest migration project from pre 8.2 environment to post 8.3 environment. This was mostly because I didnt use any tool to convert the NAT rules but just went through them one by one and when I was done I confirmed with "packet-tracer" that everything was working OK.</P><P></P><P>In the end I ended up with only 1 NAT that wasnt working but it was simply due to Copy/Paste problems. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> Had a wrong destination interface in a Static NAT command.</P><P></P><P>There are naturally alot of commands to go through the firewall when you have configured it but I would say that "packet-tracer" command gives the most information out of all of them.</P><P></P><P>Please do rate if you found the information helpfull and/or ask more questions. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Sun, 13 Jan 2013 20:43:45 GMT Jouni Forss 2013-01-13T20:43:45Z https://community.cisco.com/t5/network-security/how-best-to-test-asa-configuration/m-p/2104226#M392974 <P>Hello Community,</P><P></P><P>I'm about to set up as ASA configuration with GNS3 ASA's(see link/attachment). Can someone please show how to best test the configuration once complete?</P><P></P><P>I need something like a verification plan to ensure that the configuration would perform if in production.</P><P></P><P>Alternatively, if you could point me to sample ASA configurations that include a verification or test plan that would also be great.</P><P></P><P>Cheers</P><P></P><P>Carlton</P><P></P><P><A href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml</A></P> Tue, 12 Mar 2019 00:46:25 GMT https://community.cisco.com/t5/network-security/how-best-to-test-asa-configuration/m-p/2104226#M392974 Carlton Patterson 2019-03-12T00:46:25Z https://community.cisco.com/t5/network-security/how-best-to-test-asa-configuration/m-p/2104227#M392975 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I guess this mostly depends how complex each context is going to be.</P><P></P><P>The only thing I can think of at the moment would be the "packet-tracer" command on the CLI. Same can be found on the ASDM side also.</P><P></P><P>What this command does is that it shows you what rules/configurations/translations the ASA would apply to the packet if it were to enter the&nbsp; ASA</P><P></P><P>Basic command format is</P><P></P><P><STRONG>packet-tracer input <INTERFACE> <PROTOCOL> <SOURCE ip=""> <SOURCE port=""> <DESTINATION ip=""> <DESTINATION port=""></DESTINATION></DESTINATION></SOURCE></SOURCE></PROTOCOL></INTERFACE></STRONG></P><P></P><P>Where</P><UL><LI>interface = The source interface where the connection would come from</LI><LI>protocol = Usually TCP/UDP/ICMP</LI><LI>source IP = Source IP address for the connection</LI><LI>source port = Random source port for the connection</LI><LI>destination IP = Destination IP address for the connection</LI><LI>destination port = Destination port for the connection</LI></UL><P></P><P></P><P>I personally use the above command to test NAT rules quite often after I've done some changes. I might also use it in cases where I have a large ACL on an interface and want to quickly test if a certain connection would pass the ACL and to which ACL line it would "hit".</P><P></P><P>I used this command quite a lot in my biggest migration project from pre 8.2 environment to post 8.3 environment. This was mostly because I didnt use any tool to convert the NAT rules but just went through them one by one and when I was done I confirmed with "packet-tracer" that everything was working OK.</P><P></P><P>In the end I ended up with only 1 NAT that wasnt working but it was simply due to Copy/Paste problems. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN> Had a wrong destination interface in a Static NAT command.</P><P></P><P>There are naturally alot of commands to go through the firewall when you have configured it but I would say that "packet-tracer" command gives the most information out of all of them.</P><P></P><P>Please do rate if you found the information helpfull and/or ask more questions. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Sun, 13 Jan 2013 20:43:45 GMT https://community.cisco.com/t5/network-security/how-best-to-test-asa-configuration/m-p/2104227#M392975 Jouni Forss 2013-01-13T20:43:45Z