How to troubleshoot an access-list issue on the Cisco ASA firewall
How to troubleshoot an access-list issue on the Cisco ASA firewall
On this tutorial I am going to troubleshoot a packet that is being dropped by the firewall –
There are two ways you can do this
- Thru the Firewall ASDM
- Thru the Command line
You can use the Cisco ASDM to do a packet trace which will show you how the packet is flowing thru the firewall. you will need to choose the source interface, source IP, and source interface
In this example, we are going to see if the IP address 192.168.221.1 is allowed to reach 10.100.100.1 from the firewall
ASDM Example:
Login to the ASDM using the browser
- Click on Tools
- Click on Packet Tracer
In the below screenshot – we are going to see IP address 192.168.221.1 from the inside interface is allowed to reach 10.100.100.1 on IP protocol
- Choose the interface – in this case, traffic will be coming from the inside interface
- Choose the protocol type – IP in this case
- Choose the source IP
- Choose the destination IP
- Choose the Protocol again and click start
This will pop up a window if the option to is selected to show you the command line, click send to start the packet trace
This will start the simulation like below and will show you all the phases
The first phase shows you the following
- Route Look up to see if the packet has a route to the destination
- Shows the action to see if it is allowed
- Shows you the route – in this case is the default route
Phase II shows the packet going thru the access list
- Shows the Access-list type
- Shows the action – in this case, it is dropping the packet
The final phase shows the result
- The result shows the packet is dropped
- Shows why the packet was dropped
Every packet may take a different route and may go thru more phases like VPN and NAT
Below is the same example by running the command line interface. you can see the source IP is 192.168.22.1 and the destination IP is 10.100.100.1
- Phase is doing the route lookup which is the default route
- Action for the route lookup
- Phase 2 is doing the Access-List lookup and action that is performed by the ACL which is a drop action in this case
- You can see the action is “Drop”
- The final explanation about the drop action by the ACL
Once you know why your packet is being dropped, it becomes easier to troubleshoot the issue – Now that you know that the ACL is dropping the packet – you can adjust the ACL accordingly