ASA Packet-Tracer CLI

This is one of the more useful commands for troubleshooting NAT on a Cisco ASA

packet input [int-name] [prot] [src_ip] [src_port] [dest_ip] [dest_port]

The output can show you where the traffic is dropped.

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,dmz) source static termserv1 termserv1 destination static sysop1 sysop1 service pwreset pwreset
description SysOpTools Password Reset
Additional Information:
NAT divert to egress interface inside
Untranslate 172.24.1.40/5000 to 172.24.1.40/5000

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz_in in interface dmz
access-list dmz_in extended permit tcp object sysop1 object termserv1 eq 5000
Additional Information:

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,dmz) source static termserv1 termserv1 destination static sysop1 sysop1 service pwreset pwreset description SysOpTools Password Reset
Additional Information:
Static translate 172.22.1.50/5000 to 172.22.1.50/5000

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,dmz) source static termserv1 termserv1 destination static sysop1 sysop1 service pwreset pwreset description SysOpTools Password Reset
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2866275, packet dispatched to next module

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

ASA Packet-Tracer CLI
Share this