Diagnosing Why Cisco ASA Denies Traffic

ciscocisco-asafirewallSecurity

I have a Cisco ASA, which is denying traffic from 172.16.1.5 to 4.2.2.2 on tcp/9000

How can I diagnose why this is happening from the Cisco ASA CLI?

Best Answer

The easiest way to figure out why your ASA drops traffic:


Using packet-tracer (only on routed ASA firewalls):

Routed firewalls give us the most information when we need to figure out why something was dropped; it's best to use packet-tracer to figure out why the routed firewall dropped something (although it won't catch every possible case).

I'm assuming 172.16.1.5's source port is 1024 for the purposes of getting a diagnosis... The syntax is packet-tracer input INSIDE tcp [SRC_HOST] [SRC_PORT] [DST_HOST] [DST_PORT]

asa-fw# packet-tracer input INSIDE tcp 172.16.1.5 1024 4.2.2.2 9000

!!! output truncated

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP                                            <---- ASA Dropped the traffic
Config:
access-group INSIDE_in in interface INSIDE
access-list INSIDE_in extended deny ip any4 any4 log    <---- This rule denied the traffic
Additional Information:

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule   <----

asa-fw#

Using capture [NAME] asp-drop (routed or transparent ASA firewalls):

Transparent firewalls are trickier to diagnose, but you can still get some useful information with the capture ... asp-drop command. The ASP is the ASA's "Accelerated Security Path"; this is where many drops happen. I have seen some dropped traffic that doesn't show in asp-drop, but usually that's because of an overwhelmed backplane in the ASA.

There are four steps...

  1. Configure a packet capture buffer on the ASA. For tcp traffic, the syntax is capture [CAPTURE_NAME] type asp-drop all buffer [BUFFER_SIZE] match tcp host [SRC_HOST] host [DST_HOST] eq [DST_PORT]
  2. Wait for the denied traffic
  3. show capture [NAME] trace to understand why the traffic was denied.
  4. Remove the capture with no capture [CAPTURE_NAME]

This is an example which shows traffic to 4.2.2.2 on tcp/9000 is denied by a configured firewall rule.

asa-fw# capture DENY type asp-drop all buffer 500000 match tcp host 172.16.1.5 host 4.2.2.2 eq 9000


asa-fw# sh capture DENY trace

1 packet captured

   1: 06:13:43.434761       802.1Q vlan#200 P0 172.16.1.5.33489 > 4.2.2.2.9000: S 
   884023774:884023774(0) win 14600 <mss 1460,sackOK,timestamp 67442169 0,nop,wscale 7> 
   Drop-reason: (acl-drop) Flow is denied by configured rule
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

1 packet shown
asa-fw# no capture DENY

When you finish, be sure to unconfigure the capture with no capture DENY

Related Topic