69-12
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools
Analyzing an ASA or PIX Configuration Using Packet Tracer
2. Copy the CSV file to the client system.
This file can be edited, if necessary.
3. Launch PRSM and import the CSV file.
Analyzing an ASA or PIX Configuration Using Packet Tracer
Packet tracer is a policy debugging tool for ASA and PIX security appliances running version 7.2.1+ that
are not operating in transparent mode. It inspects the active policies currently running on the appliance.
Without having to generate real traffic, you can analyze how traffic between two addresses traverses the
security appliance, whether it is dropped or allowed. If the result is unexpected, you can determine where
the issue exists and update the corresponding policy in Security Manager to resolve it.
Packet tracer presents a step-by-step analysis of how a simulated packet is processed by the security
appliance’s active configuration. It traces the packets flow through the active firewall modules, such as
route lookup, access lists, NAT translations, and VPN. The set of active modules changes based on the
type of packet configured and the active configuration. For example, if no VPN policies are configured,
the VPN module is not evaluated.
You can inspect the simulated packet’s traversal rather than having to generate network traffic, enable
syslog messages, and manually review resulting syslog messages. Packet tracer details the actions
enforced by the active configuration on the packet. If a configuration command causes the packet to be
dropped, the reason is provided, such as “Drop-reason: (telnet-not-permitted) Telnet not permitted on
least secure interface.”
You can trace the life span of a simulated packet through the security appliance to see whether the packet
is behaving as expected. Packet tracer uses include the following:
Debug all packet drops in a production network.
Verify the configuration is working as intended.
Show all rules applicable to a packet including the CLI that defines the rule.
Show a time line of packet changes in a data path.
Trace packets in the data path.
If the packet is blocked or permitted by some explicit access rule, you can use a short-cut to go to
the policy so that you can edit the rule.
Tips:
Packet Tracer is also available in the ASDM application and the ASA command line, and the
Security Manager version is equivalent to the ASDM version. For an example of using Packet Tracer
from ASDM and the CLI to analyze a configuration, see PIX/ASA 7.2(1) and later: Intra-Interface
Communications.
Before you can use packet tracer on a device, you must submit your policy changes at least once
after adding the device to the inventory.
Packet tracer analyzes only the active configuration running on a device. Therefore, you cannot use
packet tracer to test proposed configurations before they are deployed and running on the device. Do
not use packet tracer on a device with pending configuration changes—deploy the changes first and
then use packet tracer to ensure the packet tracer results are valid.