Tracert大家都比较熟悉,通过它我们可以了解数据包经过的路径。如果网络出现了故障,我们可以在自己的PC上运行该命令,从而可以帮助我们定位故障点。
在Cisco的防火墙ASA上有一个类似Tracert的命令Packet-tracer, 此命令可以模拟通过防火墙的流量,从而可以检测你配置的ASA上的策略是否生效,帮助你定位数据包在通讯过程中在哪个节点被阻止,是非常有用的排错工具。命令格式如下:
packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]
asa5510# packet-tracer input inside icmp 192.168.1.1 25 25 192.168.101.6
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat (inside) 0 access-list nonat
nat-control
match ip inside 192.168.1.0 255.255.255.0 outside 192.168.101.0 255.255.255.0
NAT exempt
translate_hits = 1903, untranslate_hits = 1887
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
nat-control
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (58.246.135.204 [Interface PAT])
translate_hits = 152927, untranslate_hits = 101108
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
nat-control
match ip inside 192.168.1.0 255.255.255.0 outside any
dynamic translation to pool 1 (58.246.135.204 [Interface PAT])
translate_hits = 152927, untranslate_hits = 101108
Additional Information:
Phase: 8
Type: ×××
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
