Posted by: Mudassir Ali | May 21, 2010

Troubleshooting Access Problems Using Packet-Tracer

Troubleshooting Access Problems Using Packet-Tracer

Troubleshooting access problems through a firewall is often very difficult, especially when speed to resolution is critical. Errors in long complex ACLs can be easily overlooked, and access failures caused by NAT, IDS, and routing make the problem even more difficult. Cisco has released an incredible new feature in ASA software version 7.2(1) that virtually eliminates the guesswork. Packet-tracer allows a firewall administrator to inject a virtual packet into the security appliance and track the flow from ingress to egress. Along the way, the packet is evaluated against flow and route lookups, ACLs, protocol inspection, NAT, and IDS. The power of the utility comes from the ability to simulate real-world traffic by specifying source and destination addresses with protocol and port information. Packet-tracer is available both from the CLI and in the ASDM. The ASDM version even includes animation (the value of which is questionable, but it is fun to watch), and the ability to navigate quickly to a failed policy. Here is the CLI syntax: packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml] A few examples of truncated output show some of the most useful features. Not only does the tool show the result of an ACL evaluation, but also the specific ACE that either permits or denies the packet, including a hit on the implicit deny.

asaTestlab# “packet-tracer input inside tcp 10.1.1.1 1024 10.4.1.1 23” Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside in interface inside access-list inside extended permit ip any 10.4.1.0 255.255.255.0

Additional Information: asaTestlab# “packet-tracer input inside tcp 10.1.1.1 1024 10.4.2.1 5282” Phase: 3 Type: ACCESS-LIST Subtype: log Result: DROP Config: access-group inside in interface inside access-list inside extended deny tcp any host 10.4.2.1 eq 5282 Additional Information: Evaluations of other elements of the config are similarly specific. Here is an example with nat-control enabled but without proper address translation defined: asaTestlab# “packet-tracer input DMZ tcp 10.2.1.1 1024 10.4.2.1 http” Phase: 7 Type: NAT Subtype: Result: DROP Config: nat (DMZ) 0 access-list NoNAT nat-control match ip DMZ any outside any no translation group, implicit deny policy_hits = 1 Additional Information: Packet-tracer does more than just inject a ‘virtual’ packet into the data-plane. One can also add the ‘trace’ option to the capture command, so that actual packets the security appliance receives (which are matched by the capture) are also traced.

Example: ASA# “capture mycap access-list 199 interface outside trace” To view the packet-trace from captured packet #3 in the capture, use the command: ASA# “show capture mycap trace packet-number 3”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: