11-13-2018 11:42 PM - edited 02-21-2020 08:28 AM
How can I put the source port (src-port) as any in the below ASA command instead of specific port?
packet-tracer input ifc_name protocol src-ip src-port dst-ip dst-port
packet-tracer input outside tcp 192.168.10.10 3389 172.16.10.10 3389
ciscoasa# sh conn
6 in use, 12 most used
TCP DMZ 192.168.10.10:3389 Inside 172.16.10.10:49165, idle 0:00:27, bytes 127770, flags UIO
11-14-2018 12:43 AM
11-14-2018 12:54 AM
That means the packet tracer command doesn't check the source port. It only meant to check the SIP, DIP and dst-port.
11-14-2018 02:13 AM
It can and does check the source port. However, due to the nature of how tcp and udp generally works, source ports are ephemeral (semi-random port number >1023 as @Mohammed al Baqari mentioned) so we very seldom have an ACL or other rule that restricts source port numbers.
Generally when using packet-tracer I just use 1234 as my source port unless I have a specific reason to use a specific port (very very rarely in real life).
11-14-2018 03:14 AM
Thank you Mohammed and Marvin.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide