Home » Security » [solved] How to troubleshoot an access-list issue on the Cisco ASA firewall

[solved] How to troubleshoot an access-list issue on the Cisco ASA firewall

On this tutorial I am going to troubleshoot a packet that is being dropped by the firewall.

There are two ways you can do this

  1. using  the Cisco ASA Firewall ASDM
  2. using  the Cisco Command line

You can use the Cisco ASDM to do packet trace which will show you how the packet is flowing thru the firewall. you will need to choose the source interface , source IP and source interface

In this example, we are going to see if IP address is allowed to reach from the firewall

ASDM Example:

Login to the ASDM using the browser

  1.  Click on Tools
  2. Click on Packet Tracer


In the below screenshot – we are going to see IP address from the inside interface is allowed to reach on IP protocol

  1. Choose the interface – in this case, traffic will be coming from the inside interface
  2. Choose the protocol type – IP in this case
  3. Choose the source IP
  4. Choose the destination IP
  5. Choose the Protocol again and click start


This will pop up a window if the option to is selected to show you the command line, click send to start the packet tracer


This will start the simulation like below and will show you all the phases


The first phase shows you the following

  1. Route look up to see if the packet has a route to the destination
  2. Shows the action to see if it is allowed
  3. Shows you the route – in this case is the default route


Phase II shows the packet going the thru the access list

  1.  Shows the Access-list type
  2. Shows the action – in this case it is dropping the packet


The final phase shows the result

  1. Result shows the packet is dropped
  2. Shows why the packet was dropped


Every packet may take a different route and may go thru more phases like VPN and NAT

Below is the same example by running the command line interface.  you can see the source IP is and the destination IP is

  1.  Phase is doing the route lookup which is the default route
  2. Action for the route lookup
  3. Phase 2 is doing the Access-List lookup and action that is performed the ACL which is a drop action in this case
  4.  You can see the action is “Drop”
  5. The final action explains about the “drop action” by the ACL


Once you know why your packet is being dropped, it becomes easier to troubleshoot the issue – Now that you know that the ACL is dropping the packet – you can adjust the ACL accordingly

Leave a Reply

Your email address will not be published. Required fields are marked *