How to troubleshoot access related problems in Cisco ASA

Cisco ASA has very powerful troubleshooting feature in ASA software version 7.2(1) or later that virtually eliminates the guesswork. Packet-tracer allows a firewall admins to inject a virtual packet into the security appliance and track the flow from ingress to egress. Along the way, the packet is evaluated against flow and route lookups, ACLs, protocol inspection, NAT, and IDS. The power of the utility comes from the ability to simulate real-world traffic by specifying source and destination addresses with protocol and port information.

packet-tracer input [src_int] protocol src_addr src_port dest_addr  dest_port [detailed] [xml]

A few examples of truncated output show some of the most useful features. Not only does the tool show the result of an ACL evaluation, but also the specific ACE that either permits or denies the packet, including a hit on the implicit deny. When the access-list is allowing traffic

asaTestlab# "packet-tracer input inside tcp 10.1.1.1 1024 10.4.1.10 23"

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config: access-group inside in interface inside access-list inside extended permit ip any 10.4.1.0 255.255.255.0

When access-list is not allowing traffic

asaTestlab# "packet-tracer input inside tcp 10.1.1.1 1024 10.4.2.1  5282"


Phase: 3
 Type: ACCESS-LIST
 Subtype: log
 Result: DROP
 Config:  access-group inside in interface inside access-list inside extended deny tcp any host 10.4.2.1 eq 5282 

Evaluations of other elements of the config are similarly specific. Here is an example with nat-control enabled but without proper address translation defined:

asaTestlab# "packet-tracer input DMZ tcp 10.2.1.1 1024 10.4.2.1 http"


Phase: 7
 Type: NAT
 Subtype:
 Result: DROP
 Config:
 nat (DMZ) 0 access-list NoNAT
 nat-control
    match ip DMZ any outside any
       no translation group, implicit deny
       policy_hits = 1

Packet-tracer does more than just inject a ‘virtual’ packet into the data-plane. We can also add the ‘trace’ option to the capture command, so that actual packets the security appliance receives (which are matched by the capture) are also traced.

Example:  ASA# "capture mycap access-list 199 interface outside trace"

To view the packet-trace from captured packet #3 in the capture, use the command: ASA# “show capture mycap trace packet-number 3”