Home » Security » How to troubleshoot an access-list issue on the Cisco ASA firewall

How to troubleshoot an access-list issue on the Cisco ASA firewall

On this tutorial I am going to troubleshoot a packet that is being dropped by the firewall –

There are two ways you can do this

  1. Thru the Firewall ASDM
  2. Thru the Command line

You can use the Cisco ASDM to do packet trace which will show you how the packet is flowing thru the firewall. you will need to choose the source interface , source IP and source interface

In this example, we are going to see if IP address 192.168.221.1 is allowed to reach 10.100.100.1 from the firewall

ASDM Example:

Login to the ASDM using the browser

  1.  Click on Tools
  2. Click on Packet Tracer

2016-12-10-19_43_12-dctest2008-dctest2008-remote-desktop-connection

 

In the below screenshot – we are going to see IP address 192.168.221.1 from the inside interface is allowed to reach 10.100.100.1 on IP protocol

  1. Choose the interface – in this case, traffic will be coming from the inside intreface
  2. Choose the protocol type – IP in this case
  3. Choose the source IP
  4. Choose the destination IP
  5. Choose the Protocol again and click start

2016-12-10-19_44_48-dctest2008-dctest2008-remote-desktop-connection

This will pop up a window if the option to is selected to show you the command line, click send to start the packet tracer

2016-12-10-19_47_02-dctest2008-dctest2008-remote-desktop-connection

 

This will start the simulation like below and will show you all the phases

 

2016-12-10-19_49_33-dctest2008-dctest2008-remote-desktop-connection

 

The first phase shows you the following

  1. Route look up to see if the packet has a route to the destination
  2. Shows the action to see if it is allowed
  3. Shows you the route – in this case is the default route

2016-12-10-19_50_35-dctest2008-dctest2008-remote-desktop-connection

 

Phase II shows the packet going the thru the access list

  1.  Shows the Access-list type
  2. Shows the action – in this case it is dropping the packet

2016-12-10-19_51_37-dctest2008-dctest2008-remote-desktop-connection

 

The final phase shows the result

  1. Result shows the packet is dropped
  2. Shows why the packet was dropped

2016-12-10-19_52_42-dctest2008-dctest2008-remote-desktop-connection

Every packet may take a different route and may go thru more phases like VPN and NAT

Below is the same example by running the command line interface.  you can see the source IP is 192.168.22.1 and the destination IP is 10.100.100.1

  1.  Phase is doing the route lookup which is teh default route
  2. Action for the route lookup
  3. Phase 2 is doing the Access-List lookup and action that is performed the ACL which is a drop action in this case
  4.  You can see the action is “Drop”
  5. The final explantion about the drop action by the ACL

 

2016-12-12-22_02_47-dctest2008-dctest2008-remote-desktop-connection

 

Once you know why your packet is being dropped, it becomes easier to troubeshoot the issue – Now that you know that the ACL is dropping the packet – you can adjust the ACL accordigly

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*