Cisco ASA Troubleshooting with Capture and Tracer

Packet Capture and Packet Tracer are tools that allow quick diagnosis of ASA traffic issues. Packet Capture provides a log
of all traffic matching your query. Packet Tracer runs a test of the ASA rules against your indicated traffic flow.

Syslog traffic from Host is failing to reach the logging Host at Traffic transits an ASA, entering
on "dmz3" and exiting on "inside".





Syslog Traffic

Verify Configuration
ASA# packet-tracer input dmz3 udp syslog syslog detailed
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
static (dmz2,dmz3)
match ip dmz2 host dmz3 host
static translation to
translate_hits = 0, untranslate_hits = 161075915
Additional Information:
NAT divert to egress interface dmz2
Untranslate to using netmask

Traffic is allowed, though NAT diverts traffic to dmz2 due to an incorrect configuration.
ASA# sh run static | incl
static (dmz2,dmz3)

Update Configuration
no static (dmz2,dmz3)
static (inside,dmz3)

Verify Operation
Configure access-list to match traffic flow.
access-list pixsys extended permit udp host host eq syslog
Configure capture to match ingress interface.
capture pixcapin access-list pixsys interface dmz3
Configure capture to match egress interface.
capture pixcapout access-list pixsys interface inside
View inbound syslog traffic from to
ASA# show capture pixcapin
111 packets captured
1: 11:02:18.189107 802.1Q vlan#40 P0 >
2: 11:02:18.189794 802.1Q vlan#40 P0 >
3: 11:02:18.190038 802.1Q vlan#40 P0 >
4: 11:02:18.191014 802.1Q vlan#40 P0 >
5: 11:02:18.191365 802.1Q vlan#40 P0 >

udp 196
udp 88
udp 144
udp 139
udp 108

View outbound syslog traffic from to
Before NAT update:
ASA# show capture pixcapout
0 packet captured
After NAT update:
ASA# show capture pixcapout
142 packets captured
1: 11:19:33.541887 802.1Q vlan#10 P0 >
2: 11:19:33.542040 802.1Q vlan#10 P0 >
3: 11:19:33.542070 802.1Q vlan#10 P0 >
4: 11:19:33.542421 802.1Q vlan#10 P0 >
5: 11:19:33.542833 802.1Q vlan#10 P0 >

udp 164
udp 131
udp 128
udp 192
udp 160

