How to troubleshoot an access-list issue on the Cisco ASA firewall

How to troubleshoot an access-list issue on the Cisco ASA firewall

On this tutorial I am going to troubleshoot a packet that is being dropped by the firewall –

There are two ways you can do this

  1. Thru the Firewall ASDM
  2. Thru the Command line

You can use the Cisco ASDM to do a packet trace which will show you how the packet is flowing thru the firewall. you will need to choose the source interface, source IP, and source interface

In this example, we are going to see if the IP address is allowed to reach from the firewall

ASDM Example:

Login to the ASDM using the browser

  1.  Click on Tools
  2. Click on Packet Tracer

In the below screenshot – we are going to see IP address from the inside interface is allowed to reach on IP protocol

  1. Choose the interface – in this case, traffic will be coming from the inside interface
  2. Choose the protocol type – IP in this case
  3. Choose the source IP
  4. Choose the destination IP
  5. Choose the Protocol again and click start

This will pop up a window if the option to is selected to show you the command line, click send to start the packet trace

This will start the simulation like below and will show you all the phases

The first phase shows you the following

  1. Route Look up to see if the packet has a route to the destination
  2. Shows the action to see if it is allowed
  3. Shows you the route – in this case is the default route

Phase II shows the packet going thru the access list

  1.  Shows the Access-list type
  2. Shows the action – in this case, it is dropping the packet

The final phase shows the result

  1. The result shows the packet is dropped
  2. Shows why the packet was dropped


Every packet may take a different route and may go thru more phases like VPN and NAT

Below is the same example by running the command line interface.  you can see the source IP is and the destination IP is

  1.  Phase is doing the route lookup which is the default route
  2. Action for the route lookup
  3. Phase 2 is doing the Access-List lookup and action that is performed by the ACL which is a drop action in this case
  4.  You can see the action is “Drop”
  5. The final explanation about the drop action by the ACL

Once you know why your packet is being dropped, it becomes easier to troubleshoot the issue – Now that you know that the ACL is dropping the packet – you can adjust the ACL accordingly

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button