Security

Cisco ASA Packet Trace: Your firewall debug friend

Lori Hyde explains how the Packet Trace tool works to help you debug firewall configurations. You can use this handy tool to see how a packet will be handled by your ASA in its current configuration.

 Firewall configurations can be tricky to debug. Especially when you think you have all the proper NAT statements, route statements, and access control lists in place, and it's still not working quite as you had planned. Have no fear, Packet Trace is here!

The Cisco ASA Packet Trace feature is a wonderful tool for finding out just how a packet will be handled by your ASA in its current configuration. The Packet Trace feature allows you to select an interface, then supply a couple of IP addresses and ports, and it will then trace the path that packet will take through your firewall and provide detailed results.

This tool can be accessed in a couple of different places via the Cisco ASDM. One of these places is in the Firewall'configuration screen on the NAT Rules tab. You'll see it near the top on the right-hand display.

Here is a screen shot of the initial packet trace setup.

Figure A

NOTE: Click to enlarge.

In Figure B, I've set up a trace for an internal IP going to an external Web site. As the packet is processed by the firewall, the individual steps are displayed in real time if you have the Show Animation box selected. These steps are further detailed in the Phase portion of the display. In the example, the results show that the firewall rules will allow this traffic as each step of the process is given a green check mark and the final results are reported as "The packet is allowed."

Figure B

NOTE: Click to enlarge.

You can drill down into each phase of the process to see exactly what steps were taken, which ACLs were used in processing the packet, what route was used, etc. Figures C, D, and E show the actual packet path and processing of our example flow.

In Figure C, we see the packet go through an access list check, a check for any existing matching traffic flows, and a valid route check.

Figure C

NOTE: Click to enlarge.

In Figure D, we see the NAT translation rules that are applied to this packet and the resulting dynamic translation (PAT) that is used.

Figure D

NOTE: Click to enlarge.

In Figure E, you can see that a Flow is created, its flow ID number, and the route that has been selected as well as the final result.

Figure E

NOTE: Click to enlarge.

The final example shows a flow that was not allowed through the firewall.

Figure F

NOTE: Click to enlarge.

As you can see from the above information, this simply wonderful tool can provide a wealth of information. This comes in handy whether you are debugging a critical issue, checking an access control list, or settling your curiousity about how your firewall is actually processing packets.

Editor's Picks