Cisco ASA 防火墙巨有效的排错命令 packet-tracer.DOC

Cisco ASA 防火墙巨有效的排错命令　packet-tracer 大家经常用电脑或者网络设备上的traceroute，跟踪一个包从一个设备到另一个设备中间的路径，其实在PIX上还有一个命令可以跟踪一个数据包从一个接口到另一个接口 内部处理时经过的各个步骤，如acl,nat,vpn等 Packet-Tracer New Reader Tip: Troubleshooting Access Problems Using Packet-Tracer Troubleshooting access problems through a firewall is often very difficult, especially when speed to resolution is critical. Errors in long complex ACLs can be easily overlooked, and access failures caused by NAT, IDS, and routing make the problem even more difficult. Cisco has released an incredible new feature in ASA software version 7.2(1) that virtually eliminates the guesswork. Packet-tracer allows a firewall administrator to inject a virtual packet into the security appliance and track the flow from ingress to egress. Along the way, the packet is evaluated against flow and route lookups, ACLs, protocol inspection, NAT, and IDS. The power of the utility comes from the ability to simulate real-world traffic by specifying source and destination addresses with protocol and port information. Packet-tracer is available both from the CLI and in the ASDM. The ASDM version even includes animation (the value of which is questionable, but it is fun to watch), and the ability to navigate quickly to a failed policy. Here is the CLI syntax: packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml] A few examples of truncated output show some of the most useful features. Not only does the tool show the result of an ACL evaluation, but also the specific ACE that either permits or denies the packet, including a hit on the implicit deny. asaTestlab# packet-tracer input inside tcp 1024 23 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside in interface inside access-list inside extended permit ip any Additional Information: asaTestlab# packet-tracer input inside tcp 1024 5282 Phase: 3 Type: ACCESS-LIST Subtype: log Result: DROP Config: access-group inside in interface inside access-li