Filter
Top Products
69-13
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools
Analyzing an ASA or PIX Configuration Using Packet Tracer
To use Packet Tracer:
Step 1 (Device view) Right click on the ASA or PIX 7.2.1+ device and select Packet Tracer on the shortcut
menu to open the Packet Tracer window.
Step 2 Select the interface you want to test from the Interfaces list. The list contains all interfaces defined on
the device.
Step 3 Model the packet that you want to trace by configuring the following fields:
• Packet Type—Select whether you are tracing a TCP, UDP, ICMP, or IP packet.
• Source, Destination IP Address—Select from the following address types and enter the host
addresses for both ends of the communication (from source to destination):
–
IP Address of the host.
–
User (source only). For example, DOMAIN\Administrator. The IP address mapped to the user
is used for the trace. You must enable identity-aware firewall by configuring identity options to
use this type of address.
–
FQDN, or fully-qualified domain name, of the host. For example, host.example.com. You must
configure DNS to use this type of address.
–
Security Name (ASA 9.x+ only).
–
Security Tag (ASA 9.x+ only).
• Source, Destination Port (TCP and UDP only)—Enter, or select, the port numbers that represent
the traffic type. The selection list uses names that equate to the standard port numbers for the named
application. For example, selecting http and entering 80 is the same.
• Type, Code, ID (ICMP only)—When modeling an ICMP packet, you must enter values in all of
these fields:
–
Type—Select the ICMP packet type or enter the equivalent number. The list includes all main
ICMP types. For a complete list of types and related codes, see RFC 1700 at
http://www.ietf.org/rfc/rfc1700.txt and search for “ICMP Type Numbers.”
–
Code—Enter 0 unless you are modeling a packet type that has non-zero codes. These are
destination unreachable (type 3, codes 0-12), redirect (type 5, codes 0-3), time exceeded (type
11, codes 0-1), and parameter problem (type 12, codes 0-2). See RFC 1700 for code
explanations, and note that additional codes might have been introduced in other RFCs.
–
ID—You must enter a value for ID even though the field is used for a limited number of message
types only. The ID is used for ICMP types that include request and reply versions, such as echo
and echo request, to help match replies to requests. The value should be between 1-255.
• Protocol (IP only)—Enter the number that identifies the next level protocol. For a complete list of
protocol codes, see RFC 1700 at http://www.ietf.org/rfc/rfc1700.txt and search for the “Protocol
Numbers” heading. As of the writing of this topic, numbers 1-54 and 61-100 represent values
assigned to actual protocols from the accepted range of 0-255.
Step 4 If you want to see the progress of the trace while it is happening, select Show animation. Otherwise, the
window is not updated with the results until the trace is completed.
Step 5 Click Start to trace the packet.
The policies are examined, and the bottom of the window shows the results in two forms: graphical and
detailed information. The graphical view summarizes the phases evaluated in the packet’s path.
Checkmarks indicate the packet passed the phase, a red X indicates the packet was dropped at that point.