cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ICMP6 packet tracer on ASA

121
Views
0
Helpful
0
Comments

Here is another important syntax to test ICMP6 using packet tracer.

ICMP (IPv4) and ICMP6 (IPv6) have different type and codes for echo request hence the correct code need to be used while testing

 ICMP echo request : Type 8 code 0

ICMP6 echo request : Type 128 code 0

 

FWL001/pri/act(config)# packet-tracer input IFC1 icmp 2405:200:808:679::5 128 0 2405:200:204::1 det

 

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7f7dd61ea4b0, priority=1, domain=permit, deny=false

        hits=694502366, user_data=0x0, cs_id=0x0, l3_type=0xdd86

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=IFC1, output_ifc=any

 

Phase: 2

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 2405:200:808:681::1 using egress ifc  IFC2

 

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group IFC1_access_in in interface IFC1

access-list IFC1_access_in extended permit object-group DM_INLINE_PROTOCOL_3 object ACS-SEC-WIFI-IPV6 object-group DM_INLINE_NETWORK_24 log disable 

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object icmp

protocol-object icmp6

object-group network DM_INLINE_NETWORK_24

network-object object NH_IPMPLS_V6

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7f7dbf171770, priority=13, domain=permit, deny=false

        hits=1, user_data=0x7f7d864c0200, cs_id=0x0, use_real_addr, flags=0x0, protocol=58

        src ip/id=2405:200:808:679::5/128, icmp-type=0, tag=any

        dst ip/id=2405:200:204::/48, icmp-code=0, tag=any

        input_ifc=IFC1, output_ifc=any

 

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7f7dee177bb0, priority=0, domain=nat-per-session, deny=true

        hits=552932, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=::/0, port=0, tag=any

        dst ip/id=::/0, port=0, tag=any

        input_ifc=any, output_ifc=any

 

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7f7da24e3930, priority=70, domain=inspect-icmp, deny=false

        hits=3, user_data=0x7f7da1ba1f40, cs_id=0x0, use_real_addr, flags=0x0, protocol=58

        src ip/id=::/0, icmp-type=0, tag=any

        dst ip/id=::/0, icmp-code=0, tag=any

        input_ifc=IFC1, output_ifc=any

 

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7f7dd61e4460, priority=66, domain=inspect-icmp-error, deny=false

        hits=7286, user_data=0x7f7dee9f1bd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=58

        src ip/id=::/0, icmp-type=0, tag=any

        dst ip/id=::/0, icmp-code=0, tag=any

        input_ifc=IFC1, output_ifc=any

 

Phase: 7

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0x7f7dee177bb0, priority=0, domain=nat-per-session, deny=true

        hits=552934, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=::/0, port=0, tag=any

        dst ip/id=::/0, port=0, tag=any

        input_ifc=any, output_ifc=any

 

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1885608814, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_default_ipv6

snp_fp_inspect_icmp

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

 

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_default_ipv6

snp_fp_inspect_icmp

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

 

Result:

input-interface: IFC1

input-status: up

input-line-status: up

output-interface: IFC2

output-status: up

output-line-status: up

Action: allow

 

Additional info about ICMP6 codes : https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/22974-icmpv6codes.html