联信永成(北京思科交换机授权代理)为您提供:思科交换机、思科防火墙、思科路由器等一系列华为产品。
您所在的位置:首页 > 新闻中心  > 新闻中心 > 产品知识
思科ASA防火墙策略检查命令,了解一下!
来源:www.010cisco.cn 发布时间:2019年08月23日
北京思科防火墙经销商:假如我们有一台ASA防火墙,为了检查一个网络访问是否被防火墙放行,该怎么办呢?北京思科防火墙经销商告诉我们,请用这个命令:packet-tracer!packet-tracer在ASA防火墙上模拟一个网络访问被处理的全部流程,检查防火墙对该访问执行了哪些策略,最后输出检查结果。下面北京思科防火墙经销商就来为大家举例说明下:


北京思科ASA防火墙


例1:

FW01# packet-tracer input inside tcp 1.1.1.1 56789 2.2.2.2 22 detail

命令说明:input方向为inside接口,源地址和端口为1.1.1.1:56789,目的地址和端口为2.2.2.2:22,output方向会自动查找目的地址的路由条目,所以不需要定义。

输出结果:

Phase: 1(阶段一,查路由)
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 10.1.1.1, outside(匹配路由)

Phase: 2(阶段二,input方向ACL)
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_acl in interface inside
access-list inside_acl extended permit ip any any (匹配ACL)
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffecf87f050, priority=13, domain=permit, deny=false
        hits=5053779736, user_data=0x7ffec761b280, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 3(阶段三,NAT策略)
Type: NAT     
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffece8da350, priority=0, domain=nat-per-session, deny=false
        hits=23465776598, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffecf5db590, priority=0, domain=inspect-ip-options, deny=true
        hits=13598439750, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any
              
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffecf5a5520, priority=20, domain=lu, deny=false
        hits=3086520077, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7ffece8da350, priority=0, domain=nat-per-session, deny=false
        hits=23465776600, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7ffecf374e10, priority=0, domain=inspect-ip-options, deny=true
        hits=12509325332, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 8
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 592535567, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:(结果)
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow(该网络访问数据包被防火墙放行)

例2:

FW01# packet-tracer input outside tcp 10.1.1.1 56789 1.1.1.1 22 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 10.2.2.1, outside

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP(该访问数据包被丢弃)
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffecfc29940, priority=111, domain=permit, deny=true
        hits=12689074, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=outside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

(从例2可以看到,该网络访问失败,原因是被ACL拒绝;)

北京思科防火墙经销商表示,该命令可以对多种协议类型进行检查,如ICMP,TCP,UDP,RAWIP,VLAN,VXLAN等,源目地址可以是IP和端口号,也可以是MAC地址或带用户名访问链接。



相关文章