Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
318
Views
5
Helpful
3
Replies

How to determine ACE associated with a connection?

AlexFer
Level 1
Level 1

‎06-20-2018 01:14 AM - edited ‎02-21-2020 07:54 AM

I can see a connection using "show local-host" and "show conn", however, I cannot trace it back to the (Identity firewall) ACE that was used to allow that connection. Is there a way?

Each ACE (shown using "show access-list") owns a unique hash code, so, I was expecting "show local-host" and "show conn" to reference such, but it doesn't seem to.

On ASA 9.6(1).

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎06-20-2018 01:44 AM

The hash is used to find the corresponding entries in the syslog. You can trace the ACE with packet-tracer:

packet-tracer input inside tcp user THE-USER 1234 1.2.3.4 443

This gives you the ASA-processing including ACE for the user to the server 1.2.3.4/443.

AlexFer
Level 1
Level 1
In response to Karsten Iwen

‎06-20-2018 01:55 AM

Thanks, but an (active) user can be associated with multiple addresses (as shown by "show user-identity ip-of-user")... How will packet-tracer know which IP to use?
0 Helpful

Karsten Iwen
VIP
VIP
In response to AlexFer

‎06-20-2018 01:58 AM

it doesn't know that. Packet-tracer always uses the last mapping. I assume in that case packet-tracer will not of much help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card