11-13-2018 11:42 PM - edited 02-21-2020 08:28 AM
How can I put the source port (src-port) as any in the below ASA command instead of specific port?
packet-tracer input ifc_name protocol src-ip src-port dst-ip dst-port
packet-tracer input outside tcp 192.168.10.10 3389 172.16.10.10 3389
ciscoasa# sh conn
6 in use, 12 most used
TCP DMZ 192.168.10.10:3389 Inside 172.16.10.10:49165, idle 0:00:27, bytes 127770, flags UIO
11-14-2018 12:43 AM
11-14-2018 12:54 AM
That means the packet tracer command doesn't check the source port. It only meant to check the SIP, DIP and dst-port.
11-14-2018 02:13 AM
It can and does check the source port. However, due to the nature of how tcp and udp generally works, source ports are ephemeral (semi-random port number >1023 as @Mohammed al Baqari mentioned) so we very seldom have an ACL or other rule that restricts source port numbers.
Generally when using packet-tracer I just use 1234 as my source port unless I have a specific reason to use a specific port (very very rarely in real life).
11-14-2018 03:14 AM
Thank you Mohammed and Marvin.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: