Re: ASA Packet Trace question concerning Deny rule

Johan de Greef · ‎03-25-2011

Hi guys,

For a client we need to allow a single host to contact another host, but all the other traffic needs to be dropped. In the ACL there is a line permitting the host to sent ip traffic to the specified host, the next line is a deny ip any to the specified host.

The client now wants to know what adresses are being denied to send traffic to the specified host, so I want to configure a packet trace to get some in depth information, not just hits. Now I was wondering, do the dropped packets get to the tracer or do they get dropped before they get to the tracer. In other words, what comes first, the deny in the ACL or the log in the packet trace?

Thanks in advance!

PAUL GILBERT ARIAS · ‎03-25-2011

The packet tracer will simulate the traffic and will tell if is pass or not. If there is an acl blocking traffic it will tell you.

Sent from Cisco Technical Support iPhone App

Johan de Greef · ‎03-25-2011

Thanks for your reply, Paul!

Will the packet tracer also tell me if I use a live ACL (which I have configured on the same inside as the packet tracer)?

The two scenarios I'm thinking about are:

1. Host -> Packet Tracer (LOG) -> ACL (DROP)

2. Host -> ACL (DROP) ..... packet tracer isn't reached.

Or do the ACL and Packet Tracer coexist, so that the ACL doesn't look at the Packet Tracer and vice versa?