{"id":125,"date":"2007-02-04T11:08:17","date_gmt":"2007-02-04T10:08:17","guid":{"rendered":"http:\/\/security-planet.de\/?p=109"},"modified":"2007-02-04T11:08:17","modified_gmt":"2007-02-04T10:08:17","slug":"der-cisco-pixasa-72-packet-tracer","status":"publish","type":"post","link":"https:\/\/cyber-fi.net\/index.php\/2007\/02\/04\/der-cisco-pixasa-72-packet-tracer\/","title":{"rendered":"Der Cisco PIX\/ASA 7.2 Packet-Tracer"},"content":{"rendered":"

Die PIX\/ASA-Version 7.2(1) ist jetzt gut acht Monate verf\u00fcgbar, vor \u00fcber zwei Monaten kam die Aktualisierung auf die Version 7.2(2), bei der jede Menge Bugs ausgebaut wurden (ok, mindestens ein Bug in der Verarbeitung der VPN-Filter ist dazugekommen). Ist es da nicht an der Zeit \u00fcber ein Update nachzudenken, um in den Genuss des Packet-Tracers zu kommen? Dies ist eine der besten Erweiterungen, auf die viele schon lange gewartet haben.<\/p>\n

Der Packet-Tracer gibt Antwort auf die Frage “Kann Host A mit Protokoll B auf Host C zugreifen?”. Fr\u00fcher mu\u00dfte man sich entweder sehr sicher sein es richtig konfiguriert zu haben, oder aber man mu\u00dfte es einfach testen. Heute kann man \u00fcber den Packet-Tracer erkennen, ob die PIX\/ASA ein bestimmtes Paket durchgelassen h\u00e4tte<\/em>.<\/p>\n

Der Packet-Tracer kann vom CLI aus, oder im ASDM genutzt werden. In letzterem sogar mit einer h\u00fcbschen (aber nutzlosen \ud83d\ude09 ) Animation. In diesem Beispiel zeige ich die Verwendung im CLI:<\/p>\n

Die Syntax aus der Online-Hilfe<\/a>:<\/p>\n

packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port\n<\/code><\/pre>\n
Die ben\u00f6tigten Parameter sind also<\/p>\n
    \n
  1. das Interface, auf dem das Paket ankommen soll<\/li>\n
  2. das Protokoll icmp, tcp, udp oder rawip<\/li>\n
  3. die Quelladresse mit Quellport<\/li>\n
  4. die Zieladresse mit Zielport<\/li>\n<\/ol>\n
    Ein paar Beispiele was einem der Packet-Tracer verr\u00e4t:<\/p>\n
    \nact\/pix# packet-tracer input outside tcp 1.2.3.4 1234 192.168.2.11 110\n\n...\n\nPhase: 4\nType: ACCESS-LIST\nSubtype:\nResult: DROP\nConfig:\nImplicit Rule\nAdditional Information:\n\nResult:\ninput-interface: outside\ninput-status: up\ninput-line-status: up\noutput-interface: outside\noutput-status: up\noutput-line-status: up\nAction: drop\nDrop-reason: (acl-drop) Flow is denied by configured rule\n\nact\/pix#\n<\/code><\/pre>\n
    Die komplette ACL auf dem Interface outside wurde durchsucht und kein passender Match gefunden. Das implizite Deny h\u00e4tte das Paket verworfen.<\/p>\n
    \nact\/pix# packet-tracer input dmz-wan tcp 1.2.3.4 1234 5.6.7.8 110\n\n...\n\nPhase: 4\nType: ROUTE-LOOKUP\nSubtype: input\nResult: ALLOW\nConfig:\nAdditional Information:\nin   0.0.0.0         0.0.0.0         outside\n\nResult:\ninput-interface: dmz-wan\ninput-status: up\ninput-line-status: up\noutput-interface: outside\noutput-status: up\noutput-line-status: up\nAction: drop\nDrop-reason: (rpf-violated) Reverse-path verify failed\n\nact\/pix#\n<\/code><\/pre>\n
    Die IP-Adresse 1.2.3.4 ist nach der Routing-Tabelle nicht am Interface dmz-wan zu finden. Der RPF-Check h\u00e4tte das Paket verworfen.<\/p>\n
    \nact\/pix# packet-tracer input dmz-wan tcp 10.2.2.2\t 1234 5.6.7.8 80\n\n...\n\nPhase: 8\nType: NAT\nSubtype:\nResult: DROP\nConfig:\nnat (dmz-wan) 0 access-list nat0-dmz-wan\nnat-control\n  match ip dmz-wan any outside any\n    no translation group, implicit deny\n    policy_hits = 41443\nAdditional Information:\n\nResult:\ninput-interface: dmz-wan\ninput-status: up\ninput-line-status: up\noutput-interface: dmz-wan\noutput-status: up\noutput-line-status: up\nAction: drop\nDrop-reason: (acl-drop) Flow is denied by configured rule\n\nact\/pix#\n<\/code><\/pre>\n
    Das Paket w\u00e4re von der ACL erlaubt worden (Access-List-Check ist Phase 4), aber f\u00fcr dieses Paket gibt es keine NAT-Regel und NAT-Control ist eingeschaltet.<\/p>\n
    \nact\/pix# packet-tracer input inside tcp 10.1.1.100 1234 10.234.234.234 80\n\n...\n\nPhase: 11\nType: VPN\nSubtype: encrypt\nResult: DROP\nConfig:\nAdditional Information:\n\nResult:\ninput-interface: inside\ninput-status: up\ninput-line-status: up\noutput-interface: inside\noutput-status: up\noutput-line-status: up\nAction: drop\nDrop-reason: (acl-drop) Flow is denied by configured rule\n\nact\/pix#\n<\/code><\/pre>\n
    Hier t\u00e4uscht sich der Packet-Tracer. Die IP 10.234.234.234 befindet sich hinter einer nicht aktiven VPN-Verbindung, die aber korrekt konfiguriert ist. Aber da keine SAs bestehen k\u00f6nnte der Packet-Tracer das Paker nicht verschl\u00fcsseln. Ein paar Sekunden sp\u00e4ter sieht der gleiche Test folgenderma\u00dfen aus:<\/p>\n
    \nact\/pix# packet-tracer input inside tcp 10.1.1.100 1234 10.234.234.234 80\n\n...\n\nPhase: 11\nType: VPN\nSubtype: encrypt\nResult: ALLOW\nConfig:\nAdditional Information:\n\nPhase: 12\nType: ACCESS-LIST\nSubtype: ipsec-user\nResult: DROP\nConfig:\nAdditional Information:\n\nResult:\ninput-interface: inside\ninput-status: up\ninput-line-status: up\noutput-interface: inside\noutput-status: up\noutput-line-status: up\nAction: drop\nDrop-reason: (acl-drop) Flow is denied by configured rule\n\nact\/pix#\n<\/code><\/pre>\n
    Jetzt k\u00f6nnte das Paket verschl\u00fcsselt werden, allerdings verbietet der VPN-Filter, der f\u00fcr diese Tunnel-Group konfiguriert ist die Kommunikation.<\/p>\n
    Hier ein komplettes Beispiel mit VPN, bei dem die Kommunikation erlaubt w\u00e4re<\/p>\n
    \nact\/pix# packet-tracer input inside tcp 10.1.1.100 80 10.234.234.234 1234\n\nPhase: 1\nType: FLOW-LOOKUP\nSubtype:\nResult: ALLOW\nConfig:\nAdditional Information:\nFound no matching flow, creating a new flow\n\nPhase: 2\nType: ROUTE-LOOKUP\nSubtype: input\nResult: ALLOW\nConfig:\nAdditional Information:\nin   10.234.234.0     255.255.255.0   outside\n\nPhase: 3\nType: ROUTE-LOOKUP\nSubtype: input\nResult: ALLOW\nConfig:\nAdditional Information:\nin   10.1.1.0    255.255.255.0   inside\n\nPhase: 4\nType: ACCESS-LIST\nSubtype: log\nResult: ALLOW\nConfig:\naccess-group inside-in in interface inside\naccess-list inside-in extended permit ip object-group internal-network any\nobject-group network internal-network\n network-object 10.1.1.0 255.255.255.0\nAdditional Information:\n\nPhase: 5\nType: IP-OPTIONS\nSubtype:\nResult: ALLOW\nConfig:\nAdditional Information:\n\nPhase: 6\nType: FOVER\nSubtype: standby-update\nResult: ALLOW\nConfig:\nAdditional Information:\n\nPhase: 7\nType: NAT-EXEMPT\nSubtype:\nResult: ALLOW\nConfig:\nnat (inside) 0 access-list nat0-inside\nnat-control\n  match ip inside 10.0.0.0 255.0.0.0 outside 10.0.0.0 255.0.0.0\n    NAT exempt\n    translate_hits = 22830, untranslate_hits = 168671\nAdditional Information:\n\nPhase: 8\nType: NAT\nSubtype:\nResult: ALLOW\nConfig:\nnat (inside) 0 access-list nat0-inside\nnat (inside) 10 10.1.1.0 255.255.255.0\nnat-control\n  match ip inside 10.1.1.0 255.255.255.0 outside any\n    dynamic translation to pool 10 (192.168.2.254 [Interface PAT])\n    translate_hits = 28944, untranslate_hits = 12\nAdditional Information:\n\nPhase: 9\nType: NAT\nSubtype: host-limits\nResult: ALLOW\nConfig:\nnat (inside) 0 access-list nat0-inside\nnat (inside) 10 10.1.1.0 255.255.255.0\nnat-control\n  match ip inside 10.1.1.0 255.255.255.0 outside any\n    dynamic translation to pool 10 (192.168.2.254 [Interface PAT])\n    translate_hits = 28944, untranslate_hits = 12\nAdditional Information:\n\nPhase: 10\nType: VPN\nSubtype: encrypt\nResult: ALLOW\nConfig:\nAdditional Information:\n\nPhase: 11\nType: ACCESS-LIST\nSubtype: ipsec-user\nResult: ALLOW\nConfig:\nAdditional Information:\n\nPhase: 12\nType: VPN\nSubtype: ipsec-tunnel-flow\nResult: ALLOW\nConfig:\nAdditional Information:\n\nPhase: 13\nType: IP-OPTIONS\nSubtype:\nResult: ALLOW\nConfig:\nAdditional Information:\n\nPhase: 14\nType: FLOW-CREATION\nSubtype:\nResult: ALLOW\nConfig:\nAdditional Information:\nNew flow created with id 1918239, packet dispatched to next module\n\nPhase: 15\nType: FLOW-LOOKUP\nSubtype:\nResult: ALLOW\nConfig:\nAdditional Information:\nFound no matching flow, creating a new flow\n\nPhase: 16\nType: ACCESS-LIST\nSubtype:\nResult: ALLOW\nConfig:\nImplicit Rule\nAdditional Information:\n\nPhase: 17\nType: FLOW-CREATION\nSubtype:\nResult: ALLOW\nConfig:\nAdditional Information:\nNew flow created with id 1918240, packet dispatched to next module\n\nPhase: 18\nType: ROUTE-LOOKUP\nSubtype: output and adjacency\nResult: ALLOW\nConfig:\nAdditional Information:\nfound next-hop 192.168.2.250 using egress ifc outside\nadjacency Active\nnext-hop mac address 0000.0c08.ac01 hits 322945\n\nResult:\ninput-interface: inside\ninput-status: up\ninput-line-status: up\noutput-interface: inside\noutput-status: up\noutput-line-status: up\nAction: allow\n\nact\/pix#\n<\/code><\/pre>\n
    Und hier noch ein Beispiel eines erfolgreichen Traces vom Outside-Interface zum Webserver in der DMZ:<\/p>\n
    \nact\/pix# packet-tracer input outside tcp 1.2.3.4 1234 192.168.2.11 80\n\nPhase: 1\nType: FLOW-LOOKUP\nSubtype:\nResult: ALLOW\nConfig:\nAdditional Information:\nFound no matching flow, creating a new flow\n\nPhase: 2\nType: UN-NAT\nSubtype: static\nResult: ALLOW\nConfig:\nstatic (dmz,outside) 192.168.2.11 10.10.10.10 netmask 255.255.255.255 dns\nnat-control\n  match ip dmz host 10.10.10.10 outside any\n    static translation to 192.168.2.11\n    translate_hits = 313235, untranslate_hits = 12786\nAdditional Information:\nNAT divert to egress interface dmz\nUntranslate 192.168.2.11\/0 to 10.10.10.10\/0 using netmask 255.255.255.255\n\nPhase: 3\nType: ROUTE-LOOKUP\nSubtype: input\nResult: ALLOW\nConfig:\nAdditional Information:\nin   0.0.0.0         0.0.0.0         outside\n\nPhase: 4\nType: ACCESS-LIST\nSubtype: log\nResult: ALLOW\nConfig:\naccess-group out-in in interface outside\naccess-list out-in extended permit tcp any host object-group Einstein-outside eq www\nobject-group network Einstein-outside\n network-object host 192.168.2.11\n network-object host 192.168.2.12\nAdditional Information:\n\nPhase: 5\nType: IP-OPTIONS\nSubtype:\nResult: ALLOW\nConfig:\nAdditional Information:\n\nPhase: 6\nType: INSPECT\nSubtype: np-inspect\nResult: ALLOW\nConfig:\nclass-map inspection_default\n match default-inspection-traffic\npolicy-map global_policy\n class inspection_default\n  inspect http\nservice-policy global_policy global\nAdditional Information:\n\nPhase: 7\nType: FOVER\nSubtype: standby-update\nResult: ALLOW\nConfig:\nAdditional Information:\n\nPhase: 8\nType: NAT\nSubtype: rpf-check\nResult: ALLOW\nConfig:\nstatic (dmz,outside) 192.168.2.11 10.10.10.10 netmask 255.255.255.255 dns\nnat-control\n  match ip dmz host 10.10.10.10 outside any\n    static translation to 192.168.2.11\n    translate_hits = 313235, untranslate_hits = 12786\nAdditional Information:\n\nPhase: 9\nType: NAT\nSubtype: host-limits\nResult: ALLOW\nConfig:\nstatic (dmz,outside) 192.168.2.11 10.10.10.10 netmask 255.255.255.255 dns\nnat-control\n  match ip dmz host 10.10.10.10 outside any\n    static translation to 192.168.2.11\n    translate_hits = 313235, untranslate_hits = 12786\nAdditional Information:\n\nPhase: 10\nType: IP-OPTIONS\nSubtype:\nResult: ALLOW\nConfig:\nAdditional Information:\n\nPhase: 11\nType: FLOW-CREATION\nSubtype:\nResult: ALLOW\nConfig:\nAdditional Information:\nNew flow created with id 1913085, packet dispatched to next module\n\nPhase: 12\nType: ROUTE-LOOKUP\nSubtype: output and adjacency\nResult: ALLOW\nConfig:\nAdditional Information:\nfound next-hop 10.10.10.10 using egress ifc dmz\nadjacency Active\nnext-hop mac address 000d.56a6.cb5f hits 173\n\nResult:\ninput-interface: outside\ninput-status: up\ninput-line-status: up\noutput-interface: outside\noutput-status: up\noutput-line-status: up\nAction: allow\n\nact\/pix#\n<\/code><\/pre>\n
    \u00dcberzeugt vom Packet-Tracer? Viel Spa\u00df beim Updaten … \ud83d\ude09<\/p>\n","protected":false},"excerpt":{"rendered":"
    Die PIX\/ASA-Version 7.2(1) ist jetzt gut acht Monate verf\u00fcgbar, vor \u00fcber zwei Monaten kam die Aktualisierung auf die Version 7.2(2), bei der jede Menge Bugs ausgebaut wurden (ok, mindestens ein Bug in der Verarbeitung der VPN-Filter ist dazugekommen). Ist es da nicht an der Zeit \u00fcber ein Update nachzudenken, um in den Genuss des Packet-Tracers <\/p>\n
    continue reading<\/a><\/div>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"twitterCardType":"","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":"","footnotes":""},"categories":[5,7],"tags":[456,472],"class_list":["post-125","post","type-post","status-publish","format-standard","hentry","category-cisco","category-cisco-security","tag-packet-tracer","tag-pix-asa"],"_links":{"self":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/comments?post=125"}],"version-history":[{"count":0,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/posts\/125\/revisions"}],"wp:attachment":[{"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/media?parent=125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/categories?post=125"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-fi.net\/index.php\/wp-json\/wp\/v2\/tags?post=125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}