Checking traffic from ASA using ASDM

mahesh18 · ‎04-08-2013

Hi everyone.

I need to check if our ASA allows access to IP 192.168.x.x which is DNS server at remote site.

I try the packet tracer and choose the interface and source and destination IP.

What source and destination port i choose while using the ASDM?

Thanks

MAhesh

Jouni Forss · ‎04-08-2013

Hi,

The source port can be any random UDP port. The destination port will be UDP/53 if you are testing if DNS querys will pass the ASA.

The source interface will naturally be the interface on the ASA where the host initiating that connection will be.

- Jouni

mahesh18 · ‎04-08-2013

Hi Jouni,

I tried packet type as UDP then

source port as syslog as i do not have port numbers to choose from just names.

destination port as dnsix thats closest one i found

here is result

output interface shows ? ?

info shows virtual firewall classification failed.

thanks

mahesh

Julio Carvajal · ‎04-08-2013

Hello Mahesh,

You are running multiple context, based on the traffic patterns the ASA will not be able to determine out which interface to send the traffic,

Note: The source port can be any random port ( from 1025 and higher)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎04-08-2013

Hi Julio,

I see the ASA as two context admin and other is b.

Also on ASDM ther are no port numbers to choose from it has names only.

So you mean to say there is no way for me to check if ASA allows access to remote DNS server?

thanks

mahesh

Julio Carvajal · ‎04-08-2013

Hello mahesh,

On ASDM you can type the port number,

now in this case the connection is actually failling because of the fact the ASA is not being able to determine where to send the packet,

Can you share the entire packet tracer output

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jouni Forss · ‎04-08-2013

Hi,

I would still suggest using the CLI

First moving to the context "b" if the host is located behind it

changeto context b

Then using the packet-tracer command (insert the IP addresses and interface name)

packet-tracer input udp 12345 53

This should give you the output of what happens to the traffic/connection. And its alot easier to copy/paste directly here on the forums.

- Jouni

Jouni Forss · ‎04-08-2013

Hi,

The message you are getting would seem to hint to a situation where you are using Multiple Context Mode

Can you use CLI connection instead and go to the Security Context where the host is located and use the packet-tracer command there?

packet-tracer input udp 12345 53

And copy/paste the output here

- Jouni

mahesh18 · ‎04-08-2013

Hi Jouni,

I only know user PC IP and its subnet i checked on both context of ASA it does not have that subnet range.

so does not know which interface to choose from both the contexts?

Thanks

mahesh

Jouni Forss · ‎04-08-2013

Hi,

Naturally you will have to first find the firewall which handles the connections to the remote site for this host.

After that we can try out the "packet-tracer"

You can use the "show route" command on each firewall context to show the routing table of that firewall to see if the network/subnet of the host is located behind the said firewall.

- Jouni