Packet-tracer in Cisco ASA – simulated traffic

Cisco ASA includes a very nice feature since the 7.2(1)-release; packet-tracer.

In short, you can inject and trace a packet as it progresses through the security features of the Cisco ASA appliance and quickly determine wether or not the packet will pass.

I often use it to verify traffic passing through firewall rules, NAT-rules and VPN, but its uses is not limited to these three common troubleshooting steps.


Command structure
packet-tracer input <source interface> <protocol> <source IP> <source port> <destination IP> <destination port> [detailed]

Useful commands to be used in conjunction with the packet-tracer is “clear conn” and “clear xlate” to clear connection table and NAT-table.

  • NOTE: You will obviously kill all IP-sessions running through the appliance using the clear-commands. So use it at your own risk and don’t blame me if your users comes running after you wielding pitch forks and torches. ,)

 

Example
Following is an example of a packet-trace to a web-server through a VPN-tunnel, without the “detailed”-option.
My comments in red.

CiscoASA# packet-tracer input inside tcp 10.20.30.40 54444 10.50.60.70 http

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ACL-inside-in in interface inside
access-list ACL-inside-in extended permit ip any any
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:

Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip inside 10.20.30.0 255.255.255.0 outside 10.40.50.0 255.255.255.0
NAT exempt
translate_hits = 51480, untranslate_hits = 854212
Additional Information:
THE TRAFFIC IS NOT NATED, EVEN THOUGH PHASE 8/9 RESULTS YIELDS RESULT “ALLOW”.

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 access-list inside_nat_outbound
nat-control
match ip inside 10.20.30.0 255.255.255.0 outside host 10.2.2.10
dynamic translation to pool 1 (200.200.200.200 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 10.20.30.0 255.255.255.0
nat-control
match ip inside 10.20.30.0 255.255.255.0 outside any
dynamic translation to pool 1 (200.200.200.200 [Interface PAT])
translate_hits = 3205631, untranslate_hits = 383007
Additional Information:

Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information: TRAFFIC MATCHES VPN AND WILL BE ENCRYPTED

Phase: 11
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10948889, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow FINAL ACTION IS ALLOW WHICH MEANS THE PACKET IS NOT STOPPED IN CONFIGURATION AND WILL BE PASSED ON.

If I try to run the same command again, we will see it matches an existing flow in phase 2 and promptly passed on.

CiscoASA# packet-tracer input inside tcp 10.20.30.40 54444 10.50.60.70 http

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 10953078, using existing flow

Result:
input-interface: inside
input-status: up
input-line-status: up
Action: allow

 

Packet tracer via ASDM / GUI
You can also find the packet-tracer is ASDM via “Tools > Packet Tracer”:

Cisco ASDM Packet tracer

0.00 avg. rating (0% score) - 0 votes

2 Responses to Packet-tracer in Cisco ASA – simulated traffic

  1. Hello,

    Can you help me with equivalent ( if exist)commands of :
    packet-tracer input inside tcp 10.20.30.40 54444 10.50.60.70 http for Checkpoint FW?

    Best regards,
    Tache

    • Hello,
      There no equivalent command on Check Point as far as I know.
      If you are experiencing problems with traffic not getting through, I’d check using tcpdump in order to verify the traffic is actually hitting the NIC and fw monitor and/or fw ctl zdebug drop to see wether or not it goes through.
      Seeing you are referring to destination port 80, I’m guessing the destination server is in a DMZ. In which case, you might want to doublecheck the NAT-configuration. =)

      –Gos

Leave a Reply

Your email address will not be published. Required fields are marked *