topic Re: Packet Tracer command in Network Security

Packet Tracer command

Manu Shankar — Fri, 21 Feb 2020 16:28:10 GMT

How can I put the source port (src-port) as any in the below ASA command instead of specific port?

packet-tracer input ifc_name protocol src-ip src-port dst-ip dst-port

packet-tracer input outside tcp 192.168.10.10 3389 172.16.10.10 3389

ciscoasa# sh conn
6 in use, 12 most used
TCP DMZ 192.168.10.10:3389 Inside 172.16.10.10:49165, idle 0:00:27, bytes 127770, flags UIO

Re: Packet Tracer command

Mohammed al Baqari — Wed, 14 Nov 2018 08:43:04 GMT

You can't use any as source port. You have to specify a number but its not
relevant as the source port is usually random > 1023.

Re: Packet Tracer command

Manu Shankar — Wed, 14 Nov 2018 08:54:15 GMT

That means the packet tracer command doesn't check the source port. It only meant to check the SIP, DIP and dst-port.

Re: Packet Tracer command

Marvin Rhoads — Wed, 14 Nov 2018 10:13:30 GMT

It can and does check the source port. However, due to the nature of how tcp and udp generally works, source ports are ephemeral (semi-random port number >1023 as @Mohammed al Baqari mentioned) so we very seldom have an ACL or other rule that restricts source port numbers.

Generally when using packet-tracer I just use 1234 as my source port unless I have a specific reason to use a specific port (very very rarely in real life).

Re: Packet Tracer command

Manu Shankar — Wed, 14 Nov 2018 11:14:16 GMT

Thank you Mohammed and Marvin.