- Debug all packet drops in production network.
- Verify the configuration is working as intended.
- Show all rules applicable to a packet along with the CLI lines which caused the rule addition.
- Show a time line of packet changes in a data path.
- Inject tracer packets into the data path.
How to use packet-tracer
packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]
src_int = Source Interface
protocol = icmp / rawip / tcp / udp
src_addr = Source IP Address
src_port = Source port
dst_addr = Destination IP Address
dst_port = Destination port
Examples:
1. To enable packet tracing from inside host 10.2.25.3 to external webserver 209.165.202.158, enter the following
ASA5510# packet-tracer input inside tcp 10.2.25.3 3000 209.165.202.158 http
or
ASA5510# packet-tracer input inside tcp 10.2.25.3 3000 209.165.202.158 80
where;
inside is Source Interface
tcp is protocol
10.2.25.3 is Source IP Address
3000 is Source port
209.165.202.158 is Destination IP Address
http / 80 is Destination port
Reference:
Cisco ASA Troubleshooting Tool Kit
http://www.networkblueprints.com/troubleshooting/cisco-asa-troubleshooting-tool-kit
PIX/ASA 7.2(1) and later: Intra-Interface Communications
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
Packet capture and sniffing using the Cisco ASA Firewall
http://www.networkstraining.com/packet-capture-and-sniffing-using-the-cisco-asa-firewall/
Cisco ASA troubleshooting command packet-tracer
http://informationsecuritytips.com/2009/04/cisco-asa-troubleshooting-command-packet-tracer/
No comments:
Post a Comment