ASA 7.2 软件版本

Packet-tracer input 此CLI命令可以检测你配置的ASA上的策略是否生效。很实用。也可以帮助你检查数据包在通讯过程中在那个环节被阻止，很有用的排错工具，在我们的 ASDM DEMO 安装软件里面也有。可以在ASDM V1.4(9)里面 主菜单中找到。

packet-tracer

To enable packet tracing capabilities for packet sniffing and network fault isolation, use the packet-tracer command. To disable packet capture capabilities, use the no form of this command.

packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]

no packet-tracer

examples:

asa5510# packet-tracer input inside icmp 192.168.1.1 25 25 192.168.101.6

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat (inside) 0 access-list nonat

nat-control

match ip inside 192.168.1.0 255.255.255.0 outside 192.168.101.0 255.255.255.0

NAT exempt

translate_hits = 1903, untranslate_hits = 1887

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 192.168.1.0 255.255.255.0

nat-control

match ip inside 192.168.1.0 255.255.255.0 outside any

dynamic translation to pool 1 (58.246.135.204 [Interface PAT])

translate_hits = 152927, untranslate_hits = 101108

Additional Information:

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 192.168.1.0 255.255.255.0

nat-control

match ip inside 192.168.1.0 255.255.255.0 outside any

dynamic translation to pool 1 (58.246.135.204 [Interface PAT])

translate_hits = 152927, untranslate_hits = 101108

Additional Information:

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule