文章导航绿软下载站软件下载安卓资源苹果资源专题

您当前所在位置:首页网络安全防火墙技术 → Cisco ASA 防火墙巨有效的排错命令

Cisco ASA 防火墙巨有效的排错命令

时间:2015/6/28来源:IT猫扑网作者:网管联盟我要评论(0)

  大家经常用电脑或者网络设备上的traceroute,跟踪一个包从一个设备到另一个设备中间的路径,其实在PIX上还有一个命令可以跟踪一个数据包从一个接口到另一个接口

  内部处理时经过的各个步骤,如acl,nat,vpn等

  Packet-Tracer

  New Reader Tip: Troubleshooting Access Problems Using Packet-Tracer

  Troubleshooting access problems through a firewall is often very difficult, especially when speed to resolution is critical. Errors in long complex ACLs can be

  easily overlooked, and access failures caused by NAT, IDS, and routing make the problem even more difficult.

  Cisco has released an incredible new feature in ASA software version 7.2(1) that virtually eliminates the guesswork. Packet-tracer allows a firewall administrator to

  inject a virtual packet into the security appliance and track the flow from ingress to egress. Along the way, the packet is evaluated against flow and route lookups,

  ACLs, protocol inspection, NAT, and IDS. The power of the utility comes from the ability to simulate real-world traffic by specifying source and destination addresses

  with protocol and port information.

  Packet-tracer is available both from the CLI and in the ASDM. The ASDM version even includes animation (the value of which is questionable, but it is fun to watch),

  and the ability to navigate quickly to a failed policy.

  Here is the CLI syntax:

  packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]

  A few examples of truncated output show some of the most useful features. Not only does the tool show the result of an ACL evaluation, but also the specific

  ACE that either permits or denies the packet, including a hit on the implicit deny.

  asaTestlab# "packet-tracer input inside tcp 10.1.1.1 1024 10.4.1.1 23"

  Phase: 3

  Type: ACCESS-LIST

  Subtype: log

  Result: ALLOW

  Config:

  access-group inside in interface inside access-list inside extended permit ip any 10.4.1.0 255.255.255.0

  Additional Information:

  asaTestlab# "packet-tracer input inside tcp 10.1.1.1 1024 10.4.2.1 5282"

  Phase: 3

  Type: ACCESS-LIST

  Subtype: log

  Result: DROP

  Config:

  access-group inside in interface inside access-list inside extended deny tcp any host 10.4.2.1 eq 5282

  Additional Information:

  Evaluations of other elements of the config are similarly specific. Here is an example with nat-control enabled but without proper address translation defined:

  asaTestlab# "packet-tracer input DMZ tcp 10.2.1.1 1024 10.4.2.1 http"

  Phase: 7

  Type: NAT

  Subtype:

  Result: DROP

  Config:

  nat (DMZ) 0 access-list NoNAT

  nat-control

  match ip DMZ any outside any

  no translation group, implicit deny

  policy_hits = 1

  --------------------------------------------

  实例,在PIX515E,OS7.2上配置remote access vpn,配置好了用vpn client连接,正常,但怎么也ping不通防火墙内网的IP地址,

  这时看cliet statistics的discard的包很多,sent bytes很多,received byte为0,decrypted 为0,可以判断是包过去了,但回不来,

  但出在哪个地方呢,看配置文件一条一条看很烦的,也不容易查找问题,这时用packet-tracer 模拟一个包从外口进来到内口的数据包处理过程,

  Pix1(config)# packet-tracer input outside tcp 172.16.70.200 1024 172.16.10 23

  -----------------------模拟outside接口的地址172.16.70.200 telnet到inside接口的172.16.10

  -----------------------数据包从outside口进来

  Phase: 1

  Type: FLOW-LOOKUP

  Subtype:

  Result: ALLOW

  Config:

  Additional Information:

  Found no matching flow, creating a new flow

  -----------------------查找路由,OK

#p#副标题#e#

  Phase: 2

  Type: ROUTE-LOOKUP

  Subtype: input

  Result: ALLOW

  Config:

  Additional Information:

  in 172.16.100.0 255.255.255.0 inside

  -----------------------检查outside的ACL,OK

  Phase: 3

  Type: ACCESS-LIST

  Subtype: log

  Result: ALLOW

  Config:

  access-group 102 in interface outside

  access-list 102 extended permit ip any any

  Additional Information:

  Phase: 4

  Type: IP-OPTIONS

  Subtype:

  Result: ALLOW

  Config:

  Additional Information:

  Phase: 5

  Type: CP-PUNT

  Subtype:

  Result: ALLOW

  Config:

  Additional Information:

  -----------------------应用ipsec 协议加密,OK,这时应该是数据包从inside到outside发送了

  Phase: 6

  Type: VPN

  Subtype: ipsec-tunnel-flow

  Result: ALLOW

  Config:

  Additional Information:

  -----------------------返回的数据包本应该是ipsec 加密的,这时却被NAT检查,很明显nat 0忘了定义。

  Phase: 7

  Type: NAT

  Subtype: rpf-check

  Result: DROP

  Config:

  nat (inside) 0 access-list vpnl2l_list

  nat (inside) 1 access-list 101

  nat-control

  match ip inside any outside any

  dynamic translation to pool 1 (58.248.27.57)

  translate_hits = 75970, untranslate_hits = 87806

  Additional Information:

  -----------------------最后的结果是drop

  Result:

  input-interface: outside

  input-status: up

  input-line-status: up

  output-interface: inside

  output-status: up

  output-line-status: up

  Action: drop

  Drop-reason: (acl-drop) Flow is denied by configured rule

关键词标签:Cisco,ASA,防火墙,排错

相关阅读 没有数据

文章评论
发表评论

热门文章 十面埋伏让 isa 防火墙封锁qq十面埋伏让 isa 防火墙封锁qq掌握 Linux防火墙经典应用掌握 Linux防火墙经典应用Cisco ACE Web应用防火墙Cisco ACE Web应用防火墙硬件防火墙选购经验谈硬件防火墙选购经验谈

相关软件

人气排行 Juniper防火墙之图解L2TP over IPSECjuniper防火墙之恢复出厂默认设置CISCO ASA防火墙ASDM配置redhat 5)防火墙添加端口与强制关闭端口Cisco ASA 防火墙巨有效的排错命令如何开启关闭linux防火墙在ISA中利用Radius服务器搭建VPN服务器十面埋伏让 isa 防火墙封锁qq