Scribd
Upload
157 views2 pages

Cisco ASA Troubleshooting With Capture and Tracer

Packet capture and packet tracer tools were used to troubleshoot failing syslog traffic on an ASA. Packet tracing showed the traffic was allowed but NAT was diverting it incorrectly. The static NAT rule was configured with the wrong interfaces and was updated to resolve the issue. Packet captures on the ingress and egress interfaces confirmed traffic was now successfully transiting the ASA.

Uploaded by

Moïse Guilavogui
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
157 views2 pages

Cisco ASA Troubleshooting With Capture and Tracer

Packet capture and packet tracer tools were used to troubleshoot failing syslog traffic on an ASA. Packet tracing showed the traffic was allowed but NAT was diverting it incorrectly. The static NAT rule was configured with the wrong interfaces and was updated to resolve the issue. Packet captures on the ingress and egress interfaces confirmed traffic was now successfully transiting the ASA.

Uploaded by

Moïse Guilavogui
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Cisco ASA Troubleshooting with Capture and Tracer

Packet Capture and Packet Tracer are tools that allow quick diagnosis of ASA traffic issues. Packet Capture provides a log
of all traffic matching your query. Packet Tracer runs a test of the ASA rules against your indicated traffic flow.

Scenario
Syslog traffic from Host 10.10.40.10 is failing to reach the logging Host at 10.10.20.10. Traffic transits an ASA, entering
on "dmz3" and exiting on "inside".

dmz3

G
LO

inside

ASA

10.10.20.10

10.10.40.10

Syslog Traffic

Verify Configuration
ASA# packet-tracer input dmz3 udp 10.10.40.10 syslog 10.10.20.10 syslog detailed
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (dmz2,dmz3) 10.10.20.10
nat-control
match ip dmz2 host 10.10.20.10 dmz3 host 10.10.40.10
static translation to 10.10.20.10
translate_hits = 0, untranslate_hits = 161075915
Additional Information:
NAT divert to egress interface dmz2
Untranslate 10.10.20.10/0 to 10.10.20.10/0 using netmask 255.255.255.255

Traffic is allowed, though NAT diverts traffic to dmz2 due to an incorrect configuration.
ASA# sh run static | incl 10.10.20.10
static (dmz2,dmz3) 10.10.20.10

Update Configuration
no static (dmz2,dmz3) 10.10.20.10
static (inside,dmz3) 10.10.20.10

Morgan Stepp CCIE #12603 | morganstepp@yahoo.com

Page 1 of 2

Verify Operation
Configure access-list to match traffic flow.
access-list pixsys extended permit udp host 10.10.40.10 host 10.10.20.10 eq syslog
Configure capture to match ingress interface.
capture pixcapin access-list pixsys interface dmz3
Configure capture to match egress interface.
capture pixcapout access-list pixsys interface inside
View inbound syslog traffic from 10.10.40.10 to 10.10.20.10:
ASA# show capture pixcapin
111 packets captured
1: 11:02:18.189107 802.1Q vlan#40 P0 10.10.40.10.514 > 10.10.20.10.514:
2: 11:02:18.189794 802.1Q vlan#40 P0 10.10.40.10.514 > 10.10.20.10.514:
3: 11:02:18.190038 802.1Q vlan#40 P0 10.10.40.10.514 > 10.10.20.10.514:
4: 11:02:18.191014 802.1Q vlan#40 P0 10.10.40.10.514 > 10.10.20.10.514:
5: 11:02:18.191365 802.1Q vlan#40 P0 10.10.40.10.514 > 10.10.20.10.514:

udp 196
udp 88
udp 144
udp 139
udp 108

View outbound syslog traffic from 10.10.40.10 to 10.10.20.10:


Before NAT update:
ASA# show capture pixcapout
0 packet captured
After NAT update:
ASA# show capture pixcapout
142 packets captured
1: 11:19:33.541887 802.1Q vlan#10 P0 10.10.40.10.514 > 10.10.20.10.514:
2: 11:19:33.542040 802.1Q vlan#10 P0 10.10.40.10.514 > 10.10.20.10.514:
3: 11:19:33.542070 802.1Q vlan#10 P0 10.10.40.10.514 > 10.10.20.10.514:
4: 11:19:33.542421 802.1Q vlan#10 P0 10.10.40.10.514 > 10.10.20.10.514:
5: 11:19:33.542833 802.1Q vlan#10 P0 10.10.40.10.514 > 10.10.20.10.514:

Morgan Stepp CCIE #12603 | morganstepp@yahoo.com

udp 164
udp 131
udp 128
udp 192
udp 160

Page 2 of 2

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy