Chapter 13
Troubleshooting Connections and Resources
Procedure
Step 1
The command is complicated, so we shall break it down into parts. Start by choosing the interface and
protocol for the trace:
packet-tracer input ifc_name {icmp | tcp | udp | rawip} [inline-tag tag] ...
Where:
•
input ifc_name—The name of the interface from which to start the trace.
•
icmp, tcp, udp, rawip—The protocol to use. "rawip" is raw IP, that is, IP packets that are not
TCP/UDP.
inline-tag tag—(Optional.) The security group tag value embedded in the Layer 2 CMD header.
•
Valid values range from 0 - 65533.
Next, type in the source address and protocol criteria.
Step 2
...{sip | user username | security-group {name name | tag tag} | fqdn fqdn-string}...
Where:
•
sip—The source IPv4 or IPv6 address for the packet trace.
•
user username—The user identity in the format of domain\user. The most recently mapped address
for the user (if any) is used in the trace.
security-group {name name | tag tag}—The source security group based on the IP-SGT lookup for
•
Trustsec. You can specify a security group name or a tag number.
fqdn fqdn-string—The fully qualified domain name of the source host, IPv4 only.
•
Next, type in the protocol characteristics.
Step 3
ICMP—Enter the ICMP type (1-255), ICMP code (0-255), and optionally, the ICMP identifier. You
•
must use numbers for each variable, for example, 8 for echo.
... type code [ident]...
TCP/UDP—Enter the source port number.
•
... sport ...
•
Raw IP—Enter the protocol number, 0-255.
... protocol ...
Step 4
Finally, type in the destination address criteria, destination port for TCP/UDP traces, and optional
keywords, and press Enter.
...{dip | security-group {name name | tag tag} | fqdn fqdn-string}
dport
[detailed] [xml]
Where:
•
dip—The destination IPv4 or IPv6 address for the packet trace.
•
security-group {name name | tag tag}—The destination security group based on the IP-SGT
lookup for Trustsec. You can specify a security group name or a tag number.
•
fqdn fqdn-string—The fully qualified domain name of the destination host, IPv4 only.
•
dport—The destination port for TCP/UDP traces. Do not include this value for ICMP or raw IP
traces.
Cisco ASA Series Firewall CLI Configuration Guide
Testing Your Configuration
13-11