Here are some basic ASA firewall troubleshooting tips for network traffic passing through the ASA. You can use the commands for basic checks on ASA firewalls.
Task1 : How to check interfaces and security levels in ASA firewall
1. Login to ASA firewall and go to enable mode
FWL001/act/pri> en
Password: *********
FWL001/act/pri#
2. Use the below commands to check the status of the interfaces
FWL001/act/pri# show interface ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset down down
GigabitEthernet0/1 unassigned YES unset administratively down down
GigabitEthernet0/2 unassigned YES unset administratively down down
GigabitEthernet0/3 unassigned YES unset administratively down down
GigabitEthernet0/4 unassigned YES unset administratively down down
GigabitEthernet0/5 unassigned YES unset administratively down down
GigabitEthernet0/6 unassigned YES unset administratively down down
GigabitEthernet0/7 unassigned YES unset administratively down down
TenGigabitEthernet1/0.1 10.100.1.1 YES CONFIG up up
TenGigabitEthernet1/0.2 10.100.2.1 YES CONFIG up up
TenGigabitEthernet1/0.3 10.100.3.1 YES CONFIG up up
TenGigabitEthernet1/0.4 10.100.4.1 YES CONFIG up up
FWL001/act/pri# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Management0/0 management 10.1.1.10 255.255.255.248 CONFIG
TenGigabitEthernet1/0.1 pub 10.100.1.1 255.255.255.0 CONFIG
TenGigabitEthernet1/0.2 prim 10.100.2.1 255.255.255.0 CONFIG
TenGigabitEthernet1/0.3 acs 10.100.3.1 255.255.255.0 CONFIG
TenGigabitEthernet1/0.4 priv 10.100.4.1 255.255.255.0 CONFIG
FWL001/act/pri# show nameif
Interface Name Security
Management0/0 management 100
TenGigabitEthernet1/0.1 pub 85
TenGigabitEthernet1/0.2 prim 80
TenGigabitEthernet1/0.3 acs 100
TenGigabitEthernet1/0.4 priv 95
Task 2 : How to check Routes and arp on the ASA firewall.
1. Check active route in routing table for a particular destination
FWL001/act/pri# show route 10.100.4.9
Routing entry for 10.100.4.0 255.255.255.0
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via priv
Route metric is 0, traffic share count is 1
2. Check if the route is present in running configuration for a specific destination
FWL001/act/pri# show run route | include 10.70.4.9
route priv 10.70.4.9 255.255.255.255 10.100.4.2
3. Check if the designation is on directly connected on Layer2 segment and if it’s ARP is learnt on the firewall
FWL001/act/pri# show arp | include 10.100.4.9
priv 10.100.4.9 0050.5696.7e49 59
Task 3 : Capture packets on ASA interface to check if the packets are seen on ASA for a specific source and destination
1. Find the source and destination IP / subnet and if possible the TCP/ UDP ports involved
2. Apply captures on incoming interface to check if the packets are arriving from source and then apply it on outgoing interface to see if the packets are sent out
FWL001 # capture <name of capture> interface <name of interface>match ip host <source ip> host <destination ip>
For more options use ? at each option on the firewall command line interface
Example
FWL001/act/pri# capture mycap interface priv match ip host 172.22.161.78 host 10.70.4.9
3. Check the captures on CLI
FWL001/act/pri# show cap <name of capture>
FWL001/act/pri# show cap mycap
19 packets captured
1: 09:05:04.909544 802.1Q vlan#681 P6 172.22.161.78.51202 > 10.70.4.9.21: . ack 4084884520 win 3893
2: 09:05:04.909758 802.1Q vlan#681 P0 10.70.4.9.21 > 172.22.161.78.51202: . ack 1611391851 win 14600
3: 09:06:04.945507 802.1Q vlan#681 P6 172.22.161.78.51202 > 10.70.4.9.21: . ack 4084884520 win 3893
4: 09:06:04.945736 802.1Q vlan#681 P0 10.70.4.9.21 > 172.22.161.78.51202: . ack 1611391851 win 14600
5: 09:07:04.764761 802.1Q vlan#681 P0 10.70.4.9.21 > 172.22.161.78.51202: P 4084884520:4084884534(14) ack 1611391851 win 14600
6: 09:07:04.767477 802.1Q vlan#681 P0 10.70.4.9.21 > 172.22.161.78.51202: F 4084884534:4084884534(0) ack 1611391851 win 14600
7: 09:07:04.802738 802.1Q vlan#681 P6 172.22.161.78.51202 > 10.70.4.9.21: . ack 4084884535 win 3879
8: 09:07:04.804279 802.1Q vlan#681 P6 172.22.161.78.51202 > 10.70.4.9.21: FP 1611391851:1611391851(0) ack 4084884535 win 3879
9: 09:07:04.804417 802.1Q vlan#681 P0 10.70.4.9.21 > 172.22.161.78.51202: . ack 1611391852 win 14600
10: 12:02:38.681269 802.1Q vlan#681 P0 172.22.161.78 > 10.70.4.9: icmp: echo request
11: 12:02:38.681605 802.1Q vlan#681 P0 10.70.4.9 > 172.22.161.78: icmp: echo reply
12: 12:02:38.721489 802.1Q vlan#681 P0 172.22.161.78 > 10.70.4.9: icmp: echo request
13: 12:02:38.721611 802.1Q vlan#681 P0 10.70.4.9 > 172.22.161.78: icmp: echo reply
14: 12:02:38.761557 802.1Q vlan#681 P0 172.22.161.78 > 10.70.4.9: icmp: echo request
15: 12:02:38.761648 802.1Q vlan#681 P0 10.70.4.9 > 172.22.161.78: icmp: echo reply
16: 12:02:38.801640 802.1Q vlan#681 P0 172.22.161.78 > 10.70.4.9: icmp: echo request
17: 12:02:38.801731 802.1Q vlan#681 P0 10.70.4.9 > 172.22.161.78: icmp: echo reply
18: 12:02:38.841707 802.1Q vlan#681 P0 172.22.161.78 > 10.70.4.9: icmp: echo request
19: 12:02:38.841814 802.1Q vlan#681 P0 10.70.4.9 > 172.22.161.78: icmp: echo reply
19 packets shown
4. Export the capture from firewall to view in wireshark
Using the https
If you have enabled http server on asa go to your browser and give the following in the url field
https://<ip address of asa>/capture/<capname>/pcap
Export via copy command
copy /pcap capture:
disk
flash
ftp
smb
system
tftp
Example
FWL001/act/pri# copy /pcap capture: flash:
Source capture name []? mycap
Destination filename [mycap]? mycap
!
19 packets copied in 0.10 secs
Task 4 : Capture IPv6 traffic on ASA firewall
1. Configure access-list with source and destination IP/ subnet
ASA1(config)# show access-list test-cap
access-list test-cap extended permit ip host 2005:200:802:689::1 any6
2. Apply the ACL in capture
FWL001(config)# show cap
capture test access-list test-cap interface outside
3. Send test traffic
FWL001(config)# ping outside 2005:200:802:689::6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2005:200:802:689::6, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
4. View the capture
FWL001(config)# show cap test
9 packets captured
1: 10:31:56.217441 2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
2: 10:31:57.210285 2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
3: 10:31:58.209950 2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
4: 10:32:00.209950 2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
5: 10:32:01.209904 2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
6: 10:32:02.209950 2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
7: 10:32:04.209950 2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
8: 10:32:05.209904 2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
9: 10:32:06.209965 2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
9 packets shown
Task 5 : Troubleshooting Access Problems Using Packet-Tracer
Packet-tracer is available both from the CLI and in the ASDM. The ASDM version includes and the ability to navigate quickly to a failed policy.
Here is the CLI syntax:
#packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed]
A examples output is shown below. This tool shows some of the most useful features. Not only does the tool show the result of an ACL evaluation, but also the specific ACE that either permits or denies the packet, including a hit on the implicit deny.
FWL001#packet-tracer input pub tcp 10.140.0.17 1002 10.70.4.46 1002 det
Phase: 1
Type: CAPTURE There is a capture setup for this traffic
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffc26734a0, priority=13, domain=capture, deny=false
hits=14633546662, user_data=0x7fffc2705270, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=pub, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff96dd8fa0, priority=1, domain=permit, deny=false
hits=51585156773, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=pub, output_ifc=any
Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.100.4.2 using egress ifc priv
Phase: 4
Type: ACCESS-LIST <- Ingress interface ACL check
Subtype: log
Result: ALLOW
Config:
access-group pub_access_in in interface pub
access-list pub_access_in extended permit tcp object-group HP_HG object H_AD object-group HP_SERVICES
access-list pub_access_in remark Discription: HP connectivity
object-group network HP_HG
network-object object H_10.140.0.14
network-object object H_10.140.0.12
network-object object H_10.140.0.17
network-object object H_10.140.0.18
object-group service HP_SERVICES tcp
port-object eq 1002
port-object eq 3001
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffcaa13670, priority=13, domain=permit, deny=false
hits=9, user_data=0x7fff9c531440, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=10.140.0.17, mask=255.255.255.255, port=0, tag=any
dst ip/id=10.70.4.46, mask=255.255.255.255, port=1002, tag=any, dscp=0x0
input_ifc=pub, output_ifc=any
Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff85712500, priority=7, domain=conn-set, deny=false
hits=1584067435, user_data=0x7fff856f7810, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=pub, output_ifc=any
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffb53214a0, priority=0, domain=nat-per-session, deny=false
hits=2548149073, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff96ddf3b0, priority=0, domain=inspect-ip-options, deny=true
hits=1484564486, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=pub, output_ifc=any
Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff96dd5870, priority=20, domain=lu, deny=false
hits=1214058922, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=pub, output_ifc=any
Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff856dffc0, priority=0, domain=user-statistics, deny=false
hits=88671632, user_data=0x7fff8ab43b20, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=priv
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffb53214a0, priority=0, domain=nat-per-session, deny=false
hits=2548149075, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffbedf4c40, priority=0, domain=inspect-ip-options, deny=true
hits=88125839, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=priv, output_ifc=any
Phase: 12
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7fff856e82d0, priority=0, domain=user-statistics, deny=false
hits=1780977342, user_data=0x7fff8ab43b20, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=pub
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2406214503, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: pub
input-status: up
input-line-status: up
output-interface: priv
output-status: up
output-line-status: up
Action: allow
