Project

General

Profile

Feature #2771

Add packet tracing simulator

Added by Jeremy Porter over 7 years ago. Updated 11 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
01/22/2013
Due date:
% Done:

0%

Estimated time:

Description

Functionally similar to the Cisco ASA command line:
packet-tracer input <interface> <protocol> <src-ip> <src-port> <dst-ip> <dst-port>
Cisco command line output looks like this:

zool# packet-tracer input outside tcp 199.33.241.10 10002 64.17.2.85 80

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) 64.17.2.85 192.168.39.3 netmask 255.255.255.255
match ip inside host 192.168.39.3 outside any
static translation to 64.17.2.85
translate_hits = 17598526, untranslate_hits = 246858300
Additional Information:
NAT divert to egress interface inside
Untranslate 64.17.2.85/0 to 192.168.39.3/0 using netmask 255.255.255.255

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface outside
access-list outside-in extended permit tcp any object-group public-servers object-group public-services
object-group network public-servers
network-object 64.17.2.80 255.255.255.240
object-group service public-services tcp
description: public tcp services
port-object eq www
port-object eq ssh
port-object eq https
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) 64.17.2.85 192.168.39.3 netmask 255.255.255.255
match ip inside host 192.168.39.3 outside any
static translation to 64.17.2.85
translate_hits = 17598534, untranslate_hits = 246858382
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 64.17.2.85 192.168.39.3 netmask 255.255.255.255
match ip inside host 192.168.39.3 outside any
static translation to 64.17.2.85
translate_hits = 17598534, untranslate_hits = 246858382
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 276611946, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

zool#

It doesn't need to look much like the Cisco output, but, what would be mst helpful. would be listing each rule it was processed against in order of processing, up until it is allowed or denied.
Possibly this can be done with packet tagging. We don't want to turn on all tracing for all packets just to test a single packet.

History

#1 Updated by Jim Pingle 11 months ago

  • Category set to Rules / NAT

Also available in: Atom PDF