Solved: How to see ACL traffic is allowed on.

ttpm12345 · ‎06-12-2014

ASA on 8.4 code.

I see traffic of interest allowed across the FW but not on the ACL I expected (that ACL has 0 hits). How can I see the exact rule my specific traffic is allowed on?

e

Marvin Rhoads · ‎06-12-2014

Most often that's due to ACL order causing a more general rule to catch the flow before the more specific one ever sees it. The ASA works on a first match basis.

You can see which your traffic is hitting by using the packet-tracer command. i.e.,

packet-tracer input inside tcp <source IP> <source port> <destination IP> <destination port>

The output will walk the packet processing through the ASA (including any ACL encountered) and display the step-by-step processing decisions.

View solution in original post

Marvin Rhoads · ‎06-12-2014

Most often that's due to ACL order causing a more general rule to catch the flow before the more specific one ever sees it. The ASA works on a first match basis.

You can see which your traffic is hitting by using the packet-tracer command. i.e.,

packet-tracer input inside tcp <source IP> <source port> <destination IP> <destination port>

The output will walk the packet processing through the ASA (including any ACL encountered) and display the step-by-step processing decisions.