Cisco ASA Troubleshooting with Capture and Tracer

Packet Capture and Packet Tracer are tools that allow quick diagnosis of ASA traffic issues. Packet Capture provides a log
of all traffic matching your query. Packet Tracer runs a test of the ASA rules against your indicated traffic flow.

Scenario
Syslog traffic from Host 10.10.40.10 is failing to reach the logging Host at 10.10.20.10. Traffic transits an ASA, entering
on "dmz3" and exiting on "inside".

dmz3

G
LO

inside

ASA

10.10.20.10

10.10.40.10

Syslog Traffic

Verify Configuration
ASA# packet-tracer input dmz3 udp 10.10.40.10 syslog 10.10.20.10 syslog detailed
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (dmz2,dmz3) 10.10.20.10
nat-control
match ip dmz2 host 10.10.20.10 dmz3 host 10.10.40.10
static translation to 10.10.20.10
translate_hits = 0, untranslate_hits = 161075915
Additional Information:
NAT divert to egress interface dmz2
Untranslate 10.10.20.10/0 to 10.10.20.10/0 using netmask 255.255.255.255

Traffic is allowed, though NAT diverts traffic to dmz2 due to an incorrect configuration.
ASA# sh run static | incl 10.10.20.10
static (dmz2,dmz3) 10.10.20.10

Update Configuration
no static (dmz2,dmz3) 10.10.20.10
static (inside,dmz3) 10.10.20.10

Morgan Stepp CCIE #12603 | morganstepp@yahoo.com

Page 1 of 2

Verify Operation
Configure access-list to match traffic flow.
access-list pixsys extended permit udp host 10.10.40.10 host 10.10.20.10 eq syslog
Configure capture to match ingress interface.
capture pixcapin access-list pixsys interface dmz3
Configure capture to match egress interface.
capture pixcapout access-list pixsys interface inside
View inbound syslog traffic from 10.10.40.10 to 10.10.20.10:
ASA# show capture pixcapin
111 packets captured
1: 11:02:18.189107 802.1Q vlan#40 P0 10.10.40.10.514 > 10.10.20.10.514:
2: 11:02:18.189794 802.1Q vlan#40 P0 10.10.40.10.514 > 10.10.20.10.514:
3: 11:02:18.190038 802.1Q vlan#40 P0 10.10.40.10.514 > 10.10.20.10.514:
4: 11:02:18.191014 802.1Q vlan#40 P0 10.10.40.10.514 > 10.10.20.10.514:
5: 11:02:18.191365 802.1Q vlan#40 P0 10.10.40.10.514 > 10.10.20.10.514:

udp 196
udp 88
udp 144
udp 139
udp 108

View outbound syslog traffic from 10.10.40.10 to 10.10.20.10:
Before NAT update:
ASA# show capture pixcapout
0 packet captured
After NAT update:
ASA# show capture pixcapout
142 packets captured
1: 11:19:33.541887 802.1Q vlan#10 P0 10.10.40.10.514 > 10.10.20.10.514:
2: 11:19:33.542040 802.1Q vlan#10 P0 10.10.40.10.514 > 10.10.20.10.514:
3: 11:19:33.542070 802.1Q vlan#10 P0 10.10.40.10.514 > 10.10.20.10.514:
4: 11:19:33.542421 802.1Q vlan#10 P0 10.10.40.10.514 > 10.10.20.10.514:
5: 11:19:33.542833 802.1Q vlan#10 P0 10.10.40.10.514 > 10.10.20.10.514:

Morgan Stepp CCIE #12603 | morganstepp@yahoo.com

udp 164
udp 131
udp 128
udp 192
udp 160

Page 2 of 2

Sign up to vote on this title
UsefulNot useful