It has been reported that an application is not working where an ASA is inline with the data path.
Which command can be used to confirm or deny if the ASA is responsible for this issue?
A. test
B. packet-tracer
C. capture
D. verify
Answer: B
Explanation:
In addition to capturing packets, it is possible to trace the lifespan of a packet through the ASA to see if it is behaving as expected. The packet-tracer command enables you to do the following: Debug all packet drops in production network. Verify the configuration is working as intended. Show all rules applicable to a packet along with the CLI lines that caused the rule addition. Show a time line of packet changes in a data-path. Inject tracer packets into the data-path. Search for an IPv4 or IPv6 address based on the user identity and the FQDN. The packet-tracer command provides detailed information about the packets and how they are processed by the ASA. Packet-tracer allows a firewall administrator to inject a virtual packet into the security appliance and track the flow from ingress to egress. Along the way, the packet is evaluated against flow and route lookups, ACLs, protocol inspection, NAT, and IDS. The power of the utility comes from the ability to simulate real-world traffic by specifying source and destination addresses with protocol and port information. http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p1.html
Leave a Reply