Wednesday, July 28, 2010

Cisco ASA: Packet-Tracer

The packet-tracer command lets you do the following:
  • Debug all packet drops in production network.
  • Verify the configuration is working as intended.
  • Show all rules applicable to a packet along with the CLI lines which caused the rule addition.
  • Show a time line of packet changes in a data path.
  • Inject tracer packets into the data path.
The packet-tracer command provides detailed information about the packets and how they are processed by the security appliance. In the instance that a command from the configuration did not cause the packet to drop, the packet-tracer command will provide information about the cause in an easily readable manner. For example if a packet was dropped because of an invalid header validation, a message is displayed that says, “packet dropped due to bad ip header (reason).”

How to use packet-tracer


packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]

src_int = Source Interface
protocol = icmp / rawip / tcp / udp

src_addr = Source IP Address
src_port = Source port
dst_addr = Destination IP Address
dst_port = Destination port


Examples:
1. To enable packet tracing from inside host 10.2.25.3 to external webserver 209.165.202.158, enter the following

ASA5510# packet-tracer input inside tcp 10.2.25.3 3000 209.165.202.158 http
or
ASA5510# packet-tracer input inside tcp 10.2.25.3 3000 209.165.202.158 80

where;
inside  is Source Interface
tcp  is protocol
10.2.25.3 is Source IP Address
3000 is Source port
209.165.202.158 is Destination IP Address
http / 80 is Destination port


Reference:
Cisco ASA Troubleshooting Tool Kit
http://www.networkblueprints.com/troubleshooting/cisco-asa-troubleshooting-tool-kit

PIX/ASA 7.2(1) and later: Intra-Interface Communications
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

Packet capture and sniffing using the Cisco ASA Firewall
http://www.networkstraining.com/packet-capture-and-sniffing-using-the-cisco-asa-firewall/

Cisco ASA troubleshooting command packet-tracer
http://informationsecuritytips.com/2009/04/cisco-asa-troubleshooting-command-packet-tracer/

No comments:

Post a Comment

Related post:

Related Posts with Thumbnails