Trace your way through the ASA

There are few things more difficult than debugging a complex problem in a firewall. Everybody that had to do it even just once would have, for sure, nice memories about it.

But as almost everything, it just a matter of having the right tool. In the case of a Cisco ASA is all about the Packet Tracer.

The syntax is as follows:

packet-tracer input inside tcp 172.27.2.70 1025 172.29.4.18 3389 detailed

where the numbers are the IP:port source and destination and inside is the name of the interface where the packet “originates”.

This injects a virtual packet into the firewall engine and trace every step through it. As an example, some of the info we get looks like this:

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.29.4.16     255.255.255.240 outside

[...]

 Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 2 access-list ********
  match ip inside ***** 255.255.0.0 inside ****** 255.255.255.192
    dynamic translation to pool 2 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc8940e8, priority=2, domain=host, deny=false
        hits=23838, user_data=0xcc893cd0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=172.27.0.0, mask=255.255.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

[...]

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xcd9715d8, priority=70, domain=encrypt, deny=false
        hits=79, user_data=0x9730c, cs_id=0xcd790d80, reverse, flags=0x0, protocol=0
        src ip=172.27.0.0, mask=255.255.0.0, port=0
        dst ip=172.29.4.16, mask=255.255.255.240, port=0, dscp=0x0

[...]

And the most important, the final result (end to end)

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow


This way is “easy” to determine where the packet got dropped. For the GUI maniacs there is the graphical version as a tool in Cisco ASDM. Here a screenshot.

ASDM

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s