cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1156
Views
9
Helpful
20
Replies

CISCO ASA 5525

ddesai
Level 1
Level 1

How will I verify that which policy is currently active for incoming traffic received from Dmz ?

I will need to move internal traffic which is coming from Dmz to another firewall.

 

Please advice 

 

7 Accepted Solutions

Accepted Solutions

best way is using packet tracer 

see traffic which ACL hitting.

View solution in original post

you can see which rules are being hit in the access-list using either ASDM where you will see the hit count on the right of each rule, or using show access-list <access-list name> which will also show you a hit count for each rule.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

DMZ interfaces are usually set at 50 security level, but they could be with any security level between 0 and 100. If you do "sh nameif" you should see the interfaces names as well as their security levels. From there take the interfaces names that are configured with a security level between 0 and 100 and run some packet capture on them while you are generating some traffic and check if you get any output. You can run packet capture with the command "cap < name > interface < the interface name > match ip host < source IP > host < destination IP >. Regarding the ACL hits, they won't give any details about the date/time, if you want to get those details you would need to add "log" keyword at the end of the interested ACL entries and then look at the firewall logs, but it is not recommended as it would consume more resources on the device.

View solution in original post

You will not get a time and date on the hitcount unfortunately. So what you could do is clear the counter and let it run a week or two to get an indication of what is being used.

To see which access-list is being used for which interface, if that is what you mean, you can issue the show running-config access-group which will give you the access-list name and the interface it is associated with

ASAt# show running-config access-group
access-group <access-list> in interface <interface name>

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Thanks, and appreciated your answer, 

which option will clear heat counter?

View solution in original post

You can use the command "clear access-list < the access list name > counters".

View solution in original post

To clear the hit count in ASDM just right click the "Clear Hits" button in the toolbar above the search field.  Or you can right click the specific rule you want to clear hits for and select "Clear Hits"

As for packet tracer, as mentioned by others here, you need to know what traffic you are trying to test and which interface this traffic will enter the ASA on from the source perspective.  Usually the source port will be a random high port (I normally use port 12345) but you could actually use any port low or high as source.  

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

20 Replies 20

best way is using packet tracer 

see traffic which ACL hitting.

in Packet tracer which port mention as source  port  ? 

destination port details i found from policy

ddesai
Level 1
Level 1

Thanks for the update.

Can we check with heat count?

Can we check from any logs ?

Do I need to download packet tracert or is it inbuild in cisco ASA

 I never use CISCO ASA so please guide me step by step that will be great help.

few applications pending to move from cisco ASA to new firewall so I am looking for which application still running in CISCO ASA

 

you can see which rules are being hit in the access-list using either ASDM where you will see the hit count on the right of each rule, or using show access-list <access-list name> which will also show you a hit count for each rule.

--
Please remember to select a correct answer and rate helpful posts

Can i get heat count latest date and time stamp to know when policy used last date and time?

How i can find out interal traffic to DMZ policy details from cisco asa 5525 ?>

again use packet tracer, 
packet tracer input DMZ <subet in DMZ you want to check><subet in INside or OUTside> detail 
this will give you exactly 
1- NATing using 
2- ACL using (INbound and OUTbound)

Thanks, and appreciated your update but when i open packet tracer in firewall policy i could not find source port details rest of things i can find out so what port mention as a source port.

You can use as port 

12345 <<- randomly port number 

Or 

Specific port number  if you want to check server.

For example 

Packet tracer input DMZ tcp 1.1.1.1 80 2.2.2.2 12345 

Or 

Packet tracer input OUTside tcp 2.2.2.2 12345 1.1.1.1 80

If I am adding source port as a random than it give me error.

Can I add for all in pakcet tracer souce port 80 or https ?

Destination port I have mentioned as per Cisco policy.

When you run packet tracer you should have the traffic flow that you want to test in mind. You can put any port in the source or in the destination, but those ports should match the traffic flow that you are trying to simulate.

You will not get a time and date on the hitcount unfortunately. So what you could do is clear the counter and let it run a week or two to get an indication of what is being used.

To see which access-list is being used for which interface, if that is what you mean, you can issue the show running-config access-group which will give you the access-list name and the interface it is associated with

ASAt# show running-config access-group
access-group <access-list> in interface <interface name>

--
Please remember to select a correct answer and rate helpful posts

Thanks, and appreciated your answer, 

which option will clear heat counter?

Review Cisco Networking for a $25 gift card