05-16-2024 12:33 PM
Trying to use packet-tracer to determine the direct rule a packet is being allowed but the output only lists what appears to be a dynamic ACL created on the FTD. How can I get the exact rule that is allowing the traffic?
ex.
packet-tracer input outside tcp 10.1.1.1 5555 8.8.8.8 53 detailed
Solved! Go to Solution.
05-16-2024 12:41 PM
@Chuck Reimer you can use the command system support firewall-engine-debug and apply a filter on source/destination IP and generate traffic to determine what rule the traffic matches against.
Is your input interface correct? should it not be the inside interface if your source is a private IP address 10.1.1.1 or are you hairpinning traffic?
05-16-2024 12:36 PM - edited 05-16-2024 01:08 PM
Share full packet tracer
MHM
05-16-2024 12:42 PM - edited 05-16-2024 12:47 PM
For security reasons, I don't want to post the entire output but here is the output for access-list
05-16-2024 12:45 PM - edited 05-16-2024 01:05 PM
!!
MHM
05-16-2024 01:09 PM
@MHM Cisco World There is not rule in the pre-filter that would allow this traffic. I think output just says that prefilter was assigned but not necessarily used. Rob's advice worked perfectly if you ever need this info.
05-16-2024 01:45 PM
As you like friend.
Goodluck
MHM
05-16-2024 12:56 PM
@MHM Cisco World it's just a generic PT example. I'm testing RDP access to external server in Azure
05-16-2024 01:04 PM - edited 05-16-2024 01:06 PM
!!
MHM
05-16-2024 12:41 PM
@Chuck Reimer you can use the command system support firewall-engine-debug and apply a filter on source/destination IP and generate traffic to determine what rule the traffic matches against.
Is your input interface correct? should it not be the inside interface if your source is a private IP address 10.1.1.1 or are you hairpinning traffic?
05-16-2024 12:53 PM - edited 05-16-2024 12:55 PM
@Rob Ingram I tried the firewall-engine-debug but didn't get any output after trying to establish the connection. Is this written to your console output or to syslog? Additionally I updated my input interface but the ACL is still masked and not revealing the actual rule allowing the traffic.
05-16-2024 12:56 PM
@Chuck Reimer if traffic matches the filter you applied it should display on the console.
05-16-2024 01:02 PM
@Rob Ingram That worked perfectly after I left out the source port. I attended a session last year @ Ciscolive that went over this debug command. Forgot all about it. Thanks for the help here!!
05-16-2024 01:17 PM
I guess in closing, packet-tracer is a good troubleshooting tool to determine whether the packet is allowed or not but if it is allowed and you want to determine actual rule @Rob Ingram solution works perfectly. Thanks all for the help and guidance on such a elementary question. Kind of embarrassed to ask
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide