Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10331
Views
5
Helpful
3
Replies

Test ACL to see which ACE is blocking traffic

Go to solution
vincehgov
Level 1
Level 1

‎10-04-2013 11:19 AM - edited ‎03-11-2019 07:47 PM

On the ASA and FWSM, is there a way to check which ACE would be blocking a particular traffic?  I'm looking for a command where I just tell it which ACL is use and feed it the source-ip/port and dest-ip/port.

Thank you in advanced.

Vince

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-04-2013 11:37 AM

Hi,

Well the ASA does have a tool that can easily tell you which ACL rule some traffic hits. Though I guess there is a very small change that you would have so old software that its not supported but I doubt it. This command isnt supported on FWSM however.

On ASA you can use the "packet-tracer" command.

Basically if you want to test traffic incoming from "inside" interface then you could do (IPs and ports are made up)

packet-tracer input inside tcp 10.10.10.10 12345 8.8.8.8 80

Traffic incoming from "outside" could be simulated with

packet-tracer input outside tcp 1.1.1.1 12345

I am not completely sure but on the FWSM (and also ASA side) side you might be able to look at the log message of the blocked connection and look at the very end of the log message that has a sequence of numbers. This might match some ACE in that interfaces ACL when you look at the ACL through with command "show access-list"

For example I made a "deny" rule on my ASA like this

access-list WAN-IN line 1 extended deny ip host 3.3.3.3 any

I then generate traffic from source address 3.3.3.3 to one of my internal IP addresses and ASA generates this log message

Deny tcp src WAN:3.3.3.3/12345 dst LAN:10.0.10.1/80 by access-group "WAN-IN" [0x6131ef0b, 0x0]

I then check my ACLs with "show access-list | inc 6131ef0b" which essentially contains the number sequence I told about earlier. The output is the following and we have found the ACL rule that blocked the connection attempt

ASA# show access-list | inc 6131ef0b

access-list WAN-IN line 1 extended deny ip host 3.3.3.3 any (hitcnt=3) 0x6131ef0b

Hope this helps

Please  do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-04-2013 11:37 AM

Hi,

Well the ASA does have a tool that can easily tell you which ACL rule some traffic hits. Though I guess there is a very small change that you would have so old software that its not supported but I doubt it. This command isnt supported on FWSM however.

On ASA you can use the "packet-tracer" command.

Basically if you want to test traffic incoming from "inside" interface then you could do (IPs and ports are made up)

packet-tracer input inside tcp 10.10.10.10 12345 8.8.8.8 80

Traffic incoming from "outside" could be simulated with

packet-tracer input outside tcp 1.1.1.1 12345

I am not completely sure but on the FWSM (and also ASA side) side you might be able to look at the log message of the blocked connection and look at the very end of the log message that has a sequence of numbers. This might match some ACE in that interfaces ACL when you look at the ACL through with command "show access-list"

For example I made a "deny" rule on my ASA like this

access-list WAN-IN line 1 extended deny ip host 3.3.3.3 any

I then generate traffic from source address 3.3.3.3 to one of my internal IP addresses and ASA generates this log message

Deny tcp src WAN:3.3.3.3/12345 dst LAN:10.0.10.1/80 by access-group "WAN-IN" [0x6131ef0b, 0x0]

I then check my ACLs with "show access-list | inc 6131ef0b" which essentially contains the number sequence I told about earlier. The output is the following and we have found the ACL rule that blocked the connection attempt

ASA# show access-list | inc 6131ef0b

access-list WAN-IN line 1 extended deny ip host 3.3.3.3 any (hitcnt=3) 0x6131ef0b

Hope this helps

Please  do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Go to solution
vincehgov
Level 1
Level 1
In response to Jouni Forss

‎10-18-2013 02:41 PM

Perfect

0 Helpful

Go to solution
GSA
Level 1
Level 1
In response to Jouni Forss

‎05-15-2020 09:09 AM

cisco IOS ACL verification utility:

https://aclcheck.ru

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card