10-04-2013 11:19 AM - edited 03-11-2019 07:47 PM
On the ASA and FWSM, is there a way to check which ACE would be blocking a particular traffic? I'm looking for a command where I just tell it which ACL is use and feed it the source-ip/port and dest-ip/port.
Thank you in advanced.
Vince
Solved! Go to Solution.
10-04-2013 11:37 AM
Hi,
Well the ASA does have a tool that can easily tell you which ACL rule some traffic hits. Though I guess there is a very small change that you would have so old software that its not supported but I doubt it. This command isnt supported on FWSM however.
On ASA you can use the "packet-tracer" command.
Basically if you want to test traffic incoming from "inside" interface then you could do (IPs and ports are made up)
packet-tracer input inside tcp 10.10.10.10 12345 8.8.8.8 80
Traffic incoming from "outside" could be simulated with
packet-tracer input outside tcp 1.1.1.1 12345
I am not completely sure but on the FWSM (and also ASA side) side you might be able to look at the log message of the blocked connection and look at the very end of the log message that has a sequence of numbers. This might match some ACE in that interfaces ACL when you look at the ACL through with command "show access-list"
For example I made a "deny" rule on my ASA like this
access-list WAN-IN line 1 extended deny ip host 3.3.3.3 any
I then generate traffic from source address 3.3.3.3 to one of my internal IP addresses and ASA generates this log message
Deny tcp src WAN:3.3.3.3/12345 dst LAN:10.0.10.1/80 by access-group "WAN-IN" [0x6131ef0b, 0x0]
I then check my ACLs with "show access-list | inc 6131ef0b" which essentially contains the number sequence I told about earlier. The output is the following and we have found the ACL rule that blocked the connection attempt
ASA# show access-list | inc 6131ef0b
access-list WAN-IN line 1 extended deny ip host 3.3.3.3 any (hitcnt=3) 0x6131ef0b
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
10-04-2013 11:37 AM
Hi,
Well the ASA does have a tool that can easily tell you which ACL rule some traffic hits. Though I guess there is a very small change that you would have so old software that its not supported but I doubt it. This command isnt supported on FWSM however.
On ASA you can use the "packet-tracer" command.
Basically if you want to test traffic incoming from "inside" interface then you could do (IPs and ports are made up)
packet-tracer input inside tcp 10.10.10.10 12345 8.8.8.8 80
Traffic incoming from "outside" could be simulated with
packet-tracer input outside tcp 1.1.1.1 12345
I am not completely sure but on the FWSM (and also ASA side) side you might be able to look at the log message of the blocked connection and look at the very end of the log message that has a sequence of numbers. This might match some ACE in that interfaces ACL when you look at the ACL through with command "show access-list"
For example I made a "deny" rule on my ASA like this
access-list WAN-IN line 1 extended deny ip host 3.3.3.3 any
I then generate traffic from source address 3.3.3.3 to one of my internal IP addresses and ASA generates this log message
Deny tcp src WAN:3.3.3.3/12345 dst LAN:10.0.10.1/80 by access-group "WAN-IN" [0x6131ef0b, 0x0]
I then check my ACLs with "show access-list | inc 6131ef0b" which essentially contains the number sequence I told about earlier. The output is the following and we have found the ACL rule that blocked the connection attempt
ASA# show access-list | inc 6131ef0b
access-list WAN-IN line 1 extended deny ip host 3.3.3.3 any (hitcnt=3) 0x6131ef0b
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
10-18-2013 02:41 PM
Perfect
05-15-2020 09:09 AM
cisco IOS ACL verification utility:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide