ASA Packet Tracer

28 June 2014

Cisco ASA includes a very nice debugging feature called packet-tracer. You can inject and trace a packet as it travels through different phases and quickly determine whether or not the packet will pass through. I'm using this quite often to verify traffic passing through ACL rules, NAT rules and VPN but its uses is not limited to these.

Command syntax

packet-tracer input <source interface> <protocol> <source IP> <source port> <destination IP> <destination port> [detailed]

Sample output

ASA-5505# packet-tracer input inside tcp x.x.x.x 80 y.y.y.y 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW

Phase: 6
Type: NAT
Subtype:
Result: ALLOW

Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
New flow created with id 3256277, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow