Cisco ASA 防火墻巨有效的排錯命令 packet-tracer

來源:本站原創 CISCO 超過2,454 views圍觀 0條評論

大家經常用電腦或者網絡設備上的traceroute,跟蹤一個包從一個設備到另一個設備中間的路徑,其實在PIX上還有一個命令可以跟蹤一個數據包從一個接口到另一個接口
內部處理時經過的各個步驟,如acl,nat,vpn等
Packet-Tracer
New Reader Tip: Troubleshooting Access Problems Using Packet-Tracer
Troubleshooting access problems through a firewall is often very difficult, especially when speed to resolution is critical. Errors in long complex ACLs can be
easily overlooked, and access failures caused by NAT, IDS, and routing make the problem even more difficult.
Cisco has released an incredible new feature in ASA software version 7.2(1) that virtually eliminates the guesswork. Packet-tracer allows a firewall administrator to
inject a virtual packet into the security appliance and track the flow from ingress to egress. Along the way, the packet is evaluated against flow and route lookups,
ACLs, protocol inspection, NAT, and IDS. The power of the utility comes from the ability to simulate real-world traffic by specifying source and destination addresses
with protocol and port information.
Packet-tracer is available both from the CLI and in the ASDM. The ASDM version even includes animation (the value of which is questionable, but it is fun to watch),
and the ability to navigate quickly to a failed policy.
Here is the CLI syntax:
packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]
A few examples of truncated output show some of the most useful features. Not only does the tool show the result of an ACL evaluation, but also the specific
ACE that either permits or denies the packet, including a hit on the implicit deny.
asaTestlab# “packet-tracer input inside tcp 10.1.1.1 1024 10.4.1.1 23”
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside in interface inside access-list inside extended permit ip any 10.4.1.0 255.255.255.0
Additional Information:
asaTestlab# “packet-tracer input inside tcp 10.1.1.1 1024 10.4.2.1 5282”
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group inside in interface inside access-list inside extended deny tcp any host 10.4.2.1 eq 5282
Additional Information:
Evaluations of other elements of the config are similarly specific. Here is an example with nat-control enabled but without proper address translation defined:
asaTestlab# “packet-tracer input DMZ tcp 10.2.1.1 1024 10.4.2.1 http”
Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (DMZ) 0 access-list NoNAT
nat-control
match ip DMZ any outside any
no translation group, implicit deny
policy_hits = 1
--------------------------------------------
實例,在PIX515E,OS7.2上配置remote access vpn,配置好了用vpn client連接,正常,但怎么也ping不通防火墻內網的IP地址,
這時看cliet statistics的discard的包很多,sent bytes很多,received byte為0,decrypted 為0,可以判斷是包過去了,但回不來,
但出在哪個地方呢,看配置文件一條一條看很煩的,也不容易查找問題,這時用packet-tracer 模擬一個包從外口進來到內口的數據包處理過程,
Pix1(config)# packet-tracer input outside tcp 172.16.70.200 1024 172.16.10 23
———————–模擬outside接口的地址172.16.70.200 telnet到inside接口的172.16.10
———————–數據包從outside口進來
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
———————–查找路由,OK
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.100.0 255.255.255.0 inside
———————–檢查outside的ACL,OK
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 102 in interface outside
access-list 102 extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
———————–應用ipsec 協議加密,OK,這時應該是數據包從inside到outside發送了
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
———————–返回的數據包本應該是ipsec 加密的,這時卻被NAT檢查,很明顯nat 0忘了定義。
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 0 access-list vpnl2l_list
nat (inside) 1 access-list 101
nat-control
match ip inside any outside any
dynamic translation to pool 1 (58.248.27.57)
translate_hits = 75970, untranslate_hits = 87806
Additional Information:
———————–最后的結果是drop
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

文章出自:CCIE那點事 http://www.qdxgqk.live/ 版權所有。本站文章除注明出處外,皆為作者原創文章,可自由引用,但請注明來源。 禁止全文轉載。
本文鏈接:http://www.qdxgqk.live/?p=302轉載請注明轉自CCIE那點事
如果喜歡:點此訂閱本站
  • 相關文章
  • 為您推薦
  • 各種觀點
?
暫時還木有人評論,坐等沙發!
發表評論

您必須 [ 登錄 ] 才能發表留言!

?
?
萌宠夺宝游戏