Solved: Determine which rule a connectino is applied to?

CiscoBrownBelt · ‎03-27-2019

On an ASA, I know I can see the rule which a incoming/outgoing packet is applied to when doing packet-tracer and it is blocked (click on link to see in the results) but how about which exact rule it uses when the packet/connection is successful?

Rob Ingram · ‎03-27-2019

Hi,

Packet-tracer will also determine which packets have been permitted and indicate the exact rule matched. Eg:-

ASA-1# packet-tracer input insIDE tcp 10.10.0.1 2000 3.3.3.1 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 1.1.1.2 using egress ifc OUTSIDE

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_OUT in interface INSIDE
access-list INSIDE_OUT extended permit tcp any any eq www
Additional Information:

ASA-1# show run access-list INSIDE_OUT
access-list INSIDE_OUT extended permit tcp any any eq www
access-list INSIDE_OUT extended permit ip any any log

If you wanted more detailed information you could gather more information via logging.

HTH

View solution in original post

Rob Ingram · ‎03-27-2019

Hi,