北京思科防火墙代理商：思科ASA防火墙检查命令

北京思科防火墙经销商：假如我们有一台ASA防火墙，为了检查一个网络访问是否被防火墙放行，该怎么办呢？北京思科防火墙经销商告诉我们，请用这个命令：packet-tracer！packet-tracer在ASA防火墙上模拟一个网络访问被处理的全部流程，检查防火墙对该访问执行了哪些策略，最后输出检查结果。下面北京思科防火墙经销商就来为大家举例说明下：

例1：

FW01# packet-tracer input inside tcp 1.1.1.1 56789 2.2.2.2 22 detail

命令说明：input方向为inside接口，源地址和端口为1.1.1.1:56789，目的地址和端口为2.2.2.2:22，output方向会自动查找目的地址的路由条目，所以不需要定义。

输出结果：

Phase: 1（阶段一，查路由）
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 10.1.1.1, outside（匹配路由）

Phase: 2（阶段二，input方向ACL）
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit ip any any （匹配ACL）
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffecf87f050, priority=13, domain=permit, deny=false
        hits=5053779736, user_data=0x7ffec761b280, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 3（阶段三，NAT策略）
Type: NAT     
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffece8da350, priority=0, domain=nat-per-session, deny=false
        hits=23465776598, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffecf5db590, priority=0, domain=inspect-ip-options, deny=true
        hits=13598439750, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any
              
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffecf5a5520, priority=20, domain=lu, deny=false
        hits=3086520077, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7ffece8da350, priority=0, domain=nat-per-session, deny=false
        hits=23465776600, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7ffecf374e10, priority=0, domain=inspect-ip-options, deny=true
        hits=12509325332, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 8
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 592535567, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:（结果）
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow（该网络访问数据包被防火墙放行）

例2：
FW01# packet-tracer input outside tcp 10.1.1.1 56789 1.1.1.1 22 detail
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 10.2.2.1, outside
Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP（该访问数据包被丢弃）
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffecfc29940, priority=111, domain=permit, deny=true
        hits=12689074, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=outside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
（从例2可以看到，该网络访问失败，原因是被ACL拒绝；）

北京思科防火墙经销商表示，该命令可以对多种协议类型进行检查，如ICMP,TCP,UDP,RAWIP,VLAN,VXLAN等，源目地址可以是IP和端口号，也可以是MAC地址或带用户名访问链接。

 

本页面资讯网址：http://www.fuhai31.com/detail/1525532.html