Troubleshooting access problems through a firewall is often very difficult, especially when speed to resolution is critical. Errors in long complex ACLs can be easily overlooked, and access failures caused by NAT, IDS, and routing make the problem even more difficult.
Cisco has released an incredible new feature in ASA software version 7.2(1) that virtually eliminates the guesswork. Packet-tracer allows a firewall administrator to inject a virtual packet into the security appliance and track the flow from ingress to egress. Along the way, the packet is evaluated against flow and route lookups, ACLs, protocol inspection, NAT, and IDS. The power of the utility comes from the ability to simulate real-world traffic by specifying source and destination addresses with protocol and port information.
Packet-tracer is available both from the CLI and in the ASDM. The ASDM version even includes animation (the value of which is questionable, but it is fun to watch), and the ability to navigate quickly to a failed policy.
A few examples of truncated output show some of the most useful features. Not only does the tool show the result of an ACL evaluation, but also the specific ACE that either permits or denies the packet, including a hit on the implicit deny.
Phase: 7 Type: NAT Subtype: Result: DROP Config: nat (DMZ) 0 access-list NoNAT nat-control match ip DMZ any outside any no translation group, implicit deny policy_hits = 1
- Kevin Miller, Herman Miller, Inc., Zeeland, Michigan, USA
Packet-tracer does more than just inject a 'virtual' packet into the data-plane. One can also add the 'trace' option to the capture command, so that actual packets the security appliance receives (which are matched by the capture) are also traced.
To view the packet-trace from captured packet #3 in the capture, use the command: ASA# "show capture mycap trace packet-number 3"
To receive the latest information on Cisco online tools, certifications, support documentation, insights from Cisco experts and peers, and upcoming events, check out the Cisco Technical Services Newsletter today.
Looking for a solution to my issue: I have a Cisco NGFW 2110 running v6.6.1 and the VPN client had been working. Short story is I blew away the VPN config because users complained they had no access to the back-end resources after connecting. Now it'...
Hello Guys,Today, I upgraded my two FTD (1140) from 6.6.4 to 7.0 and after upgrade I met problem related to DHCP Relay and SNMP which I had before configured via FlexConfig (very simple config) but.... on version 7.0 Cisco removed this possibility an...
Hi All, I am looking to find out what people are using to find a way around not being able to receive an MFA prompt via the MS Authenticator app or SMS code to a phone to login into Cisco AnyConnect when on a plane. We are using the NPS se...
Hello everyoneIn our network we have the ISE , FMC and AD working in our network where all workstation have anyconnect installed for authentication and posture checkingwe are planning for the FMC for user awareness so we are able to make rules / monitor t...
Good Day gents, Can someone help me clarify the settings for blocking with words from the profanity and sexual_contentHere is the config: Order Condition Rule Delete1Message Bodybody-dictionary-match("Sexual_Content", 1) &...