Solved: ASA packet tracer cisco

cisco8887 · ‎10-08-2015

Hi ,

When you ping from asa packet tracer it does say the connection fails but it doesn't if you do it actually , why ?

for isntance I can ping 8.8.8.8 from outside interface ip but when i do the packet tracer command it says it will fail.

does the packet tracer actually generate a traffic which can be captured?

many thanks

Rishabh Seth · ‎10-13-2015

The acl and NAT that you configure do not apply to traffic initiated from ASA. ASA uses the configured route to send the traffic.

Packet- tracer utility is used to evaluate through the box traffic (traffic initiated from devices behind ASA) accross your configuration, to check how traffic would be evaluated.

Hope it answers your question.

Thanks,

R.Seth

View solution in original post

Rishabh Seth · ‎10-08-2015

You can use packet tracer to test configuration for transit traffic and not for from the box traffic. From the box traffic is not evaluated accross your configuration ( acl and NAT).

As far as capture for packet tracer output, I think it should be seen incaptures.

Thanks,

R.Seth

cisco8887 · ‎10-08-2015

thanks for this but asa reports it will be blocked as implicit deny. if not evaluted against it why say it will be denied.

Rishabh Seth · ‎10-08-2015

Can you share details about the packet tracer you are running.

Thanks,

R.Seth

cisco8887 · ‎10-08-2015

packet-tracer input outside icmp 100.0.0.1 8 0 8.8.8.8

I enter the above command on the asa and replace the 100.0.0.1 with my real outside interface ip address.

This says the packet will be dropped

I then issue ping outside 8.8.8.8 and it works.

I am using the packet tracer functionality of asa not a packet tracer software ( the simulator)

Rishabh Seth · ‎10-08-2015

So what you are try will be interpreted by ASA as a packet trying to enter ASA with source ip 100.1.1.1 and destination 8.8.8.8.

ASA will consider this as a scenario where traffic has to be routed back via same interface. This is blocked by default. Hence you see a implicit deny.

I would say this is not the right way to check traffic initiated by ASA using packet-tracer.

Hope it answers your query.

Thanks,

R.Seth

cisco8887 · ‎10-13-2015

sure , how would you then check what policy is applied to the traffic generated by the asa ?

if the outside address of the interface is 100.1.1.1 and I am trying to ping 8.8.8.8 my feeling is below is what I need to use

packet-tracer input outside icmp 100.1.1.1 8 0 8.8.8.8

this returns a result showing packet will get denied but it doesn't if you do "ping outside 8.8.8.8"

Rishabh Seth · ‎10-13-2015

The acl and NAT that you configure do not apply to traffic initiated from ASA. ASA uses the configured route to send the traffic.

Packet- tracer utility is used to evaluate through the box traffic (traffic initiated from devices behind ASA) accross your configuration, to check how traffic would be evaluated.

Hope it answers your question.

Thanks,

R.Seth

cisco8887 · ‎10-13-2015

Cool so do you know of any ways asa traffic generated by asa can be checked? Or there is nothing

Rishabh Seth · ‎10-13-2015

You can show conn all output to see traffic initiated from ASA.

Also you can try capture on ASA to see traffic generated by ASA.

Hope it helps!!!

Thanks,

R.Seth

Mark answer as correct if it helps in answering your query. :)

cisco8887 · ‎10-13-2015

Many thanks !!!!!

:D