Cisco Cisco ASA for Nexus 1000V Series Switch 기술 매뉴얼
Apr 27 2014 11:31:23: %ASA-6-302013: Built outbound TCP connection 2921 for outside:
198.51.100.100/80 (198.51.100.100/80) to inside:172.16.11.5/58799 (203.0.113.2/58799)
The ASA Firewall generates syslogs during normal operation. The syslogs range in verbosity
based on the logging configuration. The output shows two syslogs that are seen at level six, or the
'informational' level.
based on the logging configuration. The output shows two syslogs that are seen at level six, or the
'informational' level.
In this example, there are two syslogs generated. The first is a log message that indicates that the
firewall has built a translation, specifically a dynamic TCP translation (PAT). It indicates the source
IP address and port and the translated IP address and port as the traffic traverses from the inside
to the outside interfaces.
firewall has built a translation, specifically a dynamic TCP translation (PAT). It indicates the source
IP address and port and the translated IP address and port as the traffic traverses from the inside
to the outside interfaces.
The second syslog indicates that the firewall has built a connection in its connection table for this
specific traffic between the client and server. If the firewall was configured in order to block this
connection attempt, or some other factor inhibited the creation of this connection (resource
constraints or a possible misconfiguration), the firewall would not generate a log that indicates that
the connection was built. Instead it would log a reason for the connection to be denied or an
indication about what factor inhibited the connection from being created.
specific traffic between the client and server. If the firewall was configured in order to block this
connection attempt, or some other factor inhibited the creation of this connection (resource
constraints or a possible misconfiguration), the firewall would not generate a log that indicates that
the connection was built. Instead it would log a reason for the connection to be denied or an
indication about what factor inhibited the connection from being created.
Packet Tracer
ASA(config)# packet-tracer input inside tcp 172.16.11.5 1234 198.51.100.100 80
--Omitted--
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
The packet tracer functionality on the ASA allows you to specify a simulated packet and see all of
the various steps, checks, and functions that the firewall goes through when it processes traffic.
With this tool, it is helpful to identify an example of traffic you believe should be allowed to pass
through the firewall, and use that 5-tupple in order to simulate traffic. In the previous example, the
packet tracer is used in order to simulate a connection attempt that meets these criteria:
the various steps, checks, and functions that the firewall goes through when it processes traffic.
With this tool, it is helpful to identify an example of traffic you believe should be allowed to pass
through the firewall, and use that 5-tupple in order to simulate traffic. In the previous example, the
packet tracer is used in order to simulate a connection attempt that meets these criteria:
The simulated packet arrives on the inside.
●
The protocol used is TCP.
●
The simulated client IP address is 172.16.11.5.
●
The client sends traffic sourced from port 1234.
●
The traffic is destined to a server at IP address 198.51.100.100.
●
The traffic is destined to port 80.
●
Notice that there was no mention of the interface outside in the command. This is by packet tracer
design. The tool tells you how the firewall processes that type of connection attempt, which
includes how it would route it, and out of which interface. More information about packet tracer can
be found in
design. The tool tells you how the firewall processes that type of connection attempt, which
includes how it would route it, and out of which interface. More information about packet tracer can
be found in
Capture
Apply Capture