Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
482
Views
1
Helpful
12
Replies

Packet-Tracer Output (FTD 7.2.4)

Go to solution
Chuck Reimer
Level 1
Level 1

‎05-16-2024 12:33 PM

Trying to use packet-tracer to determine the direct rule a packet is being allowed but the output only lists what appears to be a dynamic ACL created on the FTD. How can I get the exact rule that is allowing the traffic?

 

ex.

packet-tracer input outside tcp 10.1.1.1 5555 8.8.8.8 53 detailed

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎05-16-2024 12:41 PM

@Chuck Reimer you can use the command system support firewall-engine-debug and apply a filter on source/destination IP and  generate traffic to determine what rule the traffic matches against.

Is your input interface correct? should it not be the inside interface if your source is a private IP address 10.1.1.1 or are you hairpinning traffic?

View solution in original post

12 Replies 12

Go to solution
MHM Cisco World
VIP
VIP

‎05-16-2024 12:36 PM - edited ‎05-16-2024 01:08 PM

Share full packet tracer 

MHM

0 Helpful

Go to solution
Chuck Reimer
Level 1
Level 1
In response to MHM Cisco World

‎05-16-2024 12:42 PM - edited ‎05-16-2024 12:47 PM

For security reasons, I don't want to post the entire output but here is the output for access-list

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Chuck Reimer

‎05-16-2024 12:45 PM - edited ‎05-16-2024 01:05 PM

!! 

MHM

0 Helpful

Go to solution
Chuck Reimer
Level 1
Level 1
In response to MHM Cisco World

‎05-16-2024 01:09 PM

@MHM Cisco World There is not rule in the pre-filter that would allow this traffic. I think output just says that prefilter was assigned but not necessarily used. Rob's advice worked perfectly if you ever need this info.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Chuck Reimer

‎05-16-2024 01:45 PM

As you like friend.

Goodluck 

MHM

0 Helpful

Go to solution
Chuck Reimer
Level 1
Level 1
In response to MHM Cisco World

‎05-16-2024 12:56 PM

@MHM Cisco World it's just a generic PT example. I'm testing RDP access to external server in Azure

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Chuck Reimer

‎05-16-2024 01:04 PM - edited ‎05-16-2024 01:06 PM

!! 

MHM

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎05-16-2024 12:41 PM

@Chuck Reimer you can use the command system support firewall-engine-debug and apply a filter on source/destination IP and  generate traffic to determine what rule the traffic matches against.

Is your input interface correct? should it not be the inside interface if your source is a private IP address 10.1.1.1 or are you hairpinning traffic?

Go to solution
Chuck Reimer
Level 1
Level 1
In response to Rob Ingram

‎05-16-2024 12:53 PM - edited ‎05-16-2024 12:55 PM

@Rob Ingram I tried the firewall-engine-debug but didn't get any output after trying to establish the connection. Is this written to your console output or to syslog? Additionally I updated my input interface but the ACL is still masked and not revealing the actual rule allowing the traffic.

 

0 Helpful

Go to solution
Chuck Reimer
Level 1
Level 1
In response to Rob Ingram

‎05-16-2024 01:02 PM

@Rob Ingram That worked perfectly after I left out the source port. I attended a session last year @ Ciscolive that went over this debug command. Forgot all about it. Thanks for the help here!!

 

0 Helpful

Go to solution
Chuck Reimer
Level 1
Level 1

‎05-16-2024 01:17 PM

I guess in closing, packet-tracer is a good troubleshooting tool to determine whether the packet is allowed or not but if it is allowed and you want to determine actual rule @Rob Ingram solution works perfectly. Thanks all for the help and guidance on such a elementary question. Kind of embarrassed to ask

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card