06-12-2014 03:28 PM - edited 03-11-2019 09:19 PM
ASA on 8.4 code.
I see traffic of interest allowed across the FW but not on the ACL I expected (that ACL has 0 hits). How can I see the exact rule my specific traffic is allowed on?
e
Solved! Go to Solution.
06-12-2014 03:41 PM
Most often that's due to ACL order causing a more general rule to catch the flow before the more specific one ever sees it. The ASA works on a first match basis.
You can see which your traffic is hitting by using the packet-tracer command. i.e.,
packet-tracer input inside tcp <source IP> <source port> <destination IP> <destination port>
The output will walk the packet processing through the ASA (including any ACL encountered) and display the step-by-step processing decisions.
06-12-2014 03:41 PM
Most often that's due to ACL order causing a more general rule to catch the flow before the more specific one ever sees it. The ASA works on a first match basis.
You can see which your traffic is hitting by using the packet-tracer command. i.e.,
packet-tracer input inside tcp <source IP> <source port> <destination IP> <destination port>
The output will walk the packet processing through the ASA (including any ACL encountered) and display the step-by-step processing decisions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide