北京思科防火墙代理商:思科ASA防火墙检查命令
例1:
FW01# packet-tracer input inside tcp 1.1.1.1 56789 2.2.2.2 22 detail
命令说明:input方向为inside接口,源地址和端口为1.1.1.1:56789,目的地址和端口为2.2.2.2:22,output方向会自动查找目的地址的路由条目,所以不需要定义。
输出结果:
Phase: 1(阶段一,查路由)
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 10.1.1.1, outside(匹配路由)
Phase: 2(阶段二,input方向ACL)
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit ip any any (匹配ACL)
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffecf87f050, priority=13, domain=permit, deny=false
hits=5053779736, user_data=0x7ffec761b280, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 3(阶段三,NAT策略)
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffece8da350, priority=0, domain=nat-per-session, deny=false
hits=23465776598, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffecf5db590, priority=0, domain=inspect-ip-options, deny=true
hits=13598439750, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffecf5a5520, priority=20, domain=lu, deny=false
hits=3086520077, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ffece8da350, priority=0, domain=nat-per-session, deny=false
hits=23465776600, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ffecf374e10, priority=0, domain=inspect-ip-options, deny=true
hits=12509325332, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 592535567, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:(结果)
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow(该网络访问数据包被防火墙放行)
例2:
FW01# packet-tracer input outside tcp 10.1.1.1 56789 1.1.1.1 22 detail
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 10.2.2.1, outside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP(该访问数据包被丢弃)
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffecfc29940, priority=111, domain=permit, deny=true
hits=12689074, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=outside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
(从例2可以看到,该网络访问失败,原因是被ACL拒绝;)
北京思科防火墙经销商表示,该命令可以对多种协议类型进行检查,如ICMP,TCP,UDP,RAWIP,VLAN,VXLAN等,源目地址可以是IP和端口号,也可以是MAC地址或带用户名访问链接。