Skip to main content

 

 

Cisco Defense Orchestrator

ASA Packet Tracer

About ASA Packet Tracer

Packet tracer allows you to send a synthetic packet into the network and evaluate how the existing routing configuration, NAT rules, and policy configurations, affect that packet. Use this tool to troubleshoot these kinds of issues:

  • Users report that they cannot reach resources that they should be able to.
  • Users report that they can reach resources they should not be able to.
  • Test a policy to determine if it works as you expect.

Packet tracer can be used on a live, online, ASA device either physical or virtual. Packet Tracer does not work on ASA models. Packet tracer evaluates packets based on the saved configuration on the ASA. Staged changes on CDO are not evaluated by packet tracer.

We consider it a best-practice to run packet tracer on an ASA that is in the synced state. Though packet tracer will run if the device is not synced, you could encounter some unexpected results. For example, if you deleted a rule in the staged configuration on CDO, and this same rule was triggered on the ASA during packet tracing, CDO won't be able to show you the result of the packet's interaction with that rule.

Troubleshooting with ASA Packet Tracer

As packet tracer sends the packet through the routing configuration, NAT rules, and security policies of your ASA, it displays the packet's status at each step. If the packet is allowed by the policy it receives a green checkmark green_circle_check.png. If a packet is denied and dropped, CDO displays a red X red_circle_x.png.

Packet tracer also displays a real time log of the result of the packet trace. In the example below, you can see where a rule denied a tcp packet.

pt_log_explain.png

Troubleshoot an ASA Device Security Policy

  1. From the Devices & Services page, select your ASA, and click Troubleshoot troubleshoot.png in the Actions pane. 
  2. In the Values pane, select the interface and packet type you want to send virtually through your ASA.
  3. (Optional) If you want to trace a packet where the security group tag value is embedded in the Layer 2 CMD header (Trustsec), check SGT number and enter the security group tag number, 0-65535.
  4. Specify the source and destination. You can specify IPv4 or IPv6 addresses, fully-qualified domain names (FQDN), or security group names or tags if you use Cisco Trustsec. For the source address, you can also specify a username in the format Domain\username.
  5. Specify other protocol characteristics: 
  • ICMP—Enter the ICMP type, ICMP code (0-255), and optionally, the ICMP identifier.
  • TCP/UDP/SCTP—Enter the source and destination ports by selecting them from the list or entering a value in the port combo box.
  • IP—Enter the protocol number, 0-255.
  1. Click Run Packet Tracer.
  2. Continue with Analyze Packet Tracer Results.

Troubleshoot an Access Rule

  1. Select Policies > Network Policies.
  2. Select a policy that is associated with your ASA.
  3. Select a rule in the network policy to troubleshoot and click Troubleshoot troubleshoot.png in the details pane. Notice that in the values panel of the troubleshoot page, many of the fields are pre-populated with the attributes of the rule you chose.
  4. Enter information in the remaining required fields. Once you have completed all the required fields the Run Packet Tracer button becomes active.
  5. Click Run Packet Tracer.
  6. Continue with Analyze Packet Tracer Results.

Troubleshoot a NAT Rule

  1. From the Devices & Services page, select your ASA, and click View NAT Rules view_nat_rules.png in the Action pane.
  2. Select the rule from the NAT Rules table that you want to troubleshoot and click Troubleshoot troubleshoot.png in the details pane. Notice that in the values panel of the Troubleshoot page, many of the fields are pre-populated with the attributes of the rule you chose.
  3. Enter information in the remaining required fields. Once you have completed all the required fields the Run Packet Tracer becomes active.
  4. Click Run Packet Tracer.
  5. Continue with Analyze Packet Tracer Results.

Troubleshoot a Twice NAT Rule

  1. From the Devices & Services page, select your ASA, and click View NAT Rules view_nat_rules.png in the Action pane.
  2. Select the rule from the NAT Rules table that you want to troubleshoot and click Troubleshoot troubleshoot.png in the details pane.
    For a bi-directional Twice NAT rule, this opens a dropdown where you choose to troubleshoot the source packet translation or the destination packet translation.
  3. Enter information in the remaining required fields. Once you have completed all the required fields the Run Packet Tracer becomes active.
  4. Click Run Packet Tracer.

Analyze Packet Tracer Results

Whether the packet is dropped or allowed, you can learn why by expanding a row in the packet trace table and reading the rule or logging information related to that action. In the example below, packet tracer identified an access list policy that included a rule to deny an IP packet coming from any source and going to any destination. If this is not the action you want, you can click the View in Network Policies link and edit that rule immediately. After you edit the rule, be sure to write that configuration change to the ASA and then re-run packet tracer to ensure that you get the access results you expect. 

Along with the packet tracer results, CDO displays the real-time logs from the ASA. 

pt_explain_deny.png