Troubleshooting access problems through a firewall is often very difficult, especially when speed to resolution is critical. Errors in long complex ACLs can be easily overlooked, and access failures caused by NAT, IDS, and routing make the problem even more difficult.
Cisco has released an incredible new feature in ASA software version 7.2(1) that virtually eliminates the guesswork. Packet-tracer allows a firewall administrator to inject a virtual packet into the security appliance and track the flow from ingress to egress. Along the way, the packet is evaluated against flow and route lookups, ACLs, protocol inspection, NAT, and IDS. The power of the utility comes from the ability to simulate real-world traffic by specifying source and destination addresses with protocol and port information.
Packet-tracer is available both from the CLI and in the ASDM. The ASDM version even includes animation (the value of which is questionable, but it is fun to watch), and the ability to navigate quickly to a failed policy.
A few examples of truncated output show some of the most useful features. Not only does the tool show the result of an ACL evaluation, but also the specific ACE that either permits or denies the packet, including a hit on the implicit deny.
Phase: 7 Type: NAT Subtype: Result: DROP Config: nat (DMZ) 0 access-list NoNAT nat-control match ip DMZ any outside any no translation group, implicit deny policy_hits = 1
- Kevin Miller, Herman Miller, Inc., Zeeland, Michigan, USA
Packet-tracer does more than just inject a 'virtual' packet into the data-plane. One can also add the 'trace' option to the capture command, so that actual packets the security appliance receives (which are matched by the capture) are also traced.
To view the packet-trace from captured packet #3 in the capture, use the command: ASA# "show capture mycap trace packet-number 3"
To receive the latest information on Cisco online tools, certifications, support documentation, insights from Cisco experts and peers, and upcoming events, check out the Cisco Technical Services Newsletter today.
Hello, I have an issue with an ISE depoyment (2.6) not performing the appropriate redirection for sponsor portal. Normally when accessing https://sponsor.portal.fqdn/ we are redirected to a URL containing the portal ID like https://sponsor.porta...
Greetings! I´m trying to configure this lab and PC1 can ping Server, but for PC0 to ping server I had to configure a static route (ip route 10.0.0.0 255.0.0.0 192.168.0.5), but not on PC1 (All routers have EIGRP configured.)I can´t really...
Hi, Our customer has ISE Posturing for their laptops when they are on the VPN and also when they are on the Wired Network. For this, they use AnyConnect 4.8. When they are on the VPN, they connect successfully. The System Scan run successfully and t...
Hello,We are encountering a very annoying problem with our IPSEC IKEv1 connection between a cloud server with Strongswan and a Cisco 7201 VPN endpoint, the connection is stuck in the "Connecting" status on the server side.The IPSEC configuration functione...
Hello Guys seeking for your help and inputs. We have an issue with anyconnect failing to connect when using yubico token as second factor and we are getting error "The client agent has encountered an error.". We found a solution on below forum which is to...