Categories

CUC (6) CUCM (27) Jabber (6) Python (2) Routing (3) Solarwinds Orion NPM (4) switching (1) Video (6) voice (2)

Sunday, 25 March 2012

Cisco ASDM /CSM diagnostics on ASA -Part I Packet Tracer


I am currently engaged in a role that involves a significant amount of ASA configuration. Having worked on Unified Comms and R&S for the most of the last 5 years, I never really had a fascination for anything Firewall related (especially not for the other brand called Checkpoint, crackpoint, schmeckpoint or whatever its name is). However having worked on an ASA 5585 for the last few weeks, I guess its time for a post related to this. This piece of kit is the dogs bollocks and (according to Cisco) capable of holding 10 million concurrent connections, blah blah blah, enough about that.
One of the first things I had to brush up on were my troubleshooting skills on this thing, customers saying thing like; "our end users can't connect to www.whatever.com.au on port 443". This post, and possible more posts to follow, will address what troubleshooting tools are available to diagnose issues like this. It will be a more general post for a wider audience. This post is based on CSM 4.2 but I am pretty sure most can be used on ASDM as well.
Packet tracer, my favourite tool. I use this all the time to quickly verify if traffic goes from A to B, (or not) which ACL it hits and what NAT rules applies.


Packet Tracer




In this picture above, I have tested a traffic flow from the internet (source=4.2.2.2 s.port=61000 and destination 180.95.x.x d.port-7090),  and as you can see the traffic is permitted . You will have to remember that when entering the parameters in packet tracer you will need to following the direction of traffic from the IP addresses that is INITIATING the traffic. In this case someone on the internet on 4.2.2.2  hitting the outside interface of the firewall with destination port 80.  

In the picture above picture, the relevant Static NAT rule, that NATs the simulated traffic is detailed.

In the picture below, the ACE that allows the inbound traffic, is being displayed.



It displays the configured line that allows the simulated traffic.


Please remember that with CSM, the packet tracer tool can only simulate configuration that has already been deployed. In other words jobs that have not been deployed yet, will not be included in the configuration accessed by the packet tracer tool (i.e. running config).

Overall the packet tracer tool, is a very basic tool, that verifies simulated traffic flows against the running configuration. I have made it best practise to use it when troubleshooting connectivity issues across the ASA and to quickly verify if the intended ACL's and NAT rules have the intended result


 

No comments:

Post a Comment