Проект «SnakeProject» Михаила Козлова

⇒ CISCO ⇐

Voice(Asterisk\Cisco)

Microsoft

Powershell

Python

SQL\T-SQL

FreeBSD and Nix

1С

Общая

WEB Разработка

ORACLE SQL \ JAVA

Мото

Отладка в CISCO ASA утилитой packet tracer

Сейчас я покажу пример, как с помощью утилиты packet tracer в CISCO ASA произвести отладку прохождения сетевого пакета.

К примеру мы хотим посмотреть, как через VPN туннель из нашей локальной сети 192.168.1.0 пакет пойдет в сеть 10.10.300.0

Протокол к примеру пусть будет udp, inside - внутренний, outside -внешний интерфейс соответственно, 80 порт от балды поставил

ASA# packet-tracer input inside udp 192.168.1.53 80 10.10.300.10 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.300.0     255.255.255.0   outside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) after-auto source static OBJ-SUBNET-VLAN-USER OBJ-SUBNET-VLAN-USER destination static GRP-NETWORK-DPC1 GRP-NETWORK-DPC1 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.10.300.10/80 to 10.10.300.10/80

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ACL-VALN-USER-IN in interface inside
access-list ACL-VALN-USER-IN extended permit ip object OBJ-SUBNET-VLAN-USER any
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) after-auto source static OBJ-SUBNET-VLAN-USER OBJ-SUBNET-VLAN-USER destination static GRP-NETWORK-DPC1 GRP-NETWORK-DPC1 no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.1.53/80 to 192.168.1.53/80

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) after-auto source static OBJ-SUBNET-VLAN-USER OBJ-SUBNET-VLAN-USER destination static GRP-NETWORK-DPC1 GRP-NETWORK-DPC1 no-proxy-arp route-lookup
Additional Information:

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 21667, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Комментарии пользователей