* Flow lookup: Checks for existing xlate and conn entries.
* UN-NAT: Checks for address translation entries.
* Access list lookup: Checks for any applicable ACL entries.
* IP options lookup: Checks handling of IP options in the ingress packet.
* NAT: Checks the Reverse Path Forwarding (RPF) information.
* NAT: Checks for host connection limits.
* IP options lookup: Checks handling of IP options in egress packet.
* Flow creation: Creates new xlate and conn entries, if needed.
* Route lookup: Checks for a router to the destination address.
Packet Tracer uses a virtual or synthetic packet that is injected into the data stream on an ingress interface. The virtual packet is passed through each of the ASA functions, as if a real packet were being handled. This means that you will even see actual syslog information being generated on the ASA as the tracer progresses. The ASA will remove the virtual packet once it is queued in the egress interface buffer for transmission so that it neve appears on the network.
You can use Packet Tracer from ASDM by selecting Tools > Packet Tracer.
A new Packet Tracer window will appear, containing a string of symbols representing each ASA function that will be tested. Enter the following information to define the test packet:
* Choose the ingress interface, where the packet will enter the firewall; at the upper-left corner of
the window, select an interface name from the drop-down menu.
* Select the Packet Type, either TCP, UDP, ICMP, or IP, from the list across the top of the window.
* Enter the Source IP Address and Source Port.
* Enter the Destination IP address and Destination Port.
Click the Start button. Packet Tracer will animate a packet as it moves from function to function. When the trace is complete, the results will be shown in the bottom half of the window. Be aware that the animation causes the step-by-step progression to appear rather slowly. You can speed up the trace by unchecking the Show Animation check box.
Notice the virtual packet was denied or drop due to an implicit deny rule under the "global" access list. We correct it by adding a rule allowing HTTP traffic/TCP port 80 from the Internet (any) going towards the inside network 192.168.1.0/24 coming in from the outside interface.
You can also use Packet Tracer from the command-line interface (CLI) by entering the following command:
ciscoasa# packet-tracer ?
input Ingress interface on which to trace packet
ciscoasa# packet-tracer input ?
Current available interface(s):
inside Name of interface GigabitEthernet0
outside Name of interface GigabitEthernet1
ciscoasa# packet-tracer input outside ?
icmp Enter this keyword if the trace packet is ICMP
rawip Enter this keyword if the trace packet is RAW IP
tcp Enter this keyword if the trace packet is TCP
udp Enter this keyword if the trace packet is UDP
ciscoasa# packet-tracer input outside tcp ?
A.B.C.D Enter the Source address if ipv4
X:X:X:X::X Enter the Source address if ipv6
fqdn Enter this keyword if an FQDN is specified as source address
user Enter this keyword if a user is specified as source address
ciscoasa# packet-tracer input outside tcp 8.8.8.8 ?
<0-65535> Enter port number (0 - 65535)
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
hostname
http
https
ident
imap4
irc
ciscoasa# packet-tracer input outside tcp 8.8.8.8 12345 ?
A.B.C.D Enter the destination ipv4 address
fqdn Enter this keyword if an FQDN is specified as destination address
ciscoasa# packet-tracer input outside tcp 8.8.8.8 12345 192.168.1.50 ?
<0-65535> Enter port number (0 - 65535)
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
hostname
http
https
ident
imap4
irc
ciscoasa# packet-tracer input outside tcp 8.8.8.8 12345 192.168.1.50 http ?
detailed Dump more detailed information
xml Output in xml format
<cr>
ciscoasa# packet-tracer input outside tcp 8.8.8.8 12345 192.168.1.50 http
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any 192.168.1.0 255.255.255.0 eq www
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 100, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
No comments:
Post a Comment