How to check interfaces and security levels in ASA firewall

1. Login to ASA firewall and go to enable mode

ASAINB> en
Password: *********
ASAINB #

2. Use the below commands to check the status of the interfaces

ASAINB # show interface ip brief
Interface                  IP-Address      OK? Method Status                              Protocol
GigabitEthernet0/0         unassigned      YES unset  down                           down
GigabitEthernet0/1         unassigned      YES unset  administratively down down
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
GigabitEthernet0/4         unassigned      YES unset  administratively down down
GigabitEthernet0/5         unassigned      YES unset  administratively down down
GigabitEthernet0/6         unassigned      YES unset  administratively down down
GigabitEthernet0/7         unassigned      YES unset  administratively down down
TenGigabitEthernet1/0.1    10.1.1.1       YES CONFIG up                           up
TenGigabitEthernet1/0.2    10.1.2.1      YES CONFIG up                            up
TenGigabitEthernet1/0.3    10.1.3.1      YES CONFIG up                            up
TenGigabitEthernet1/0.4    10.1.4.1      YES CONFIG up                            up

ASAINB # show ip
System IP Addresses:
Interface                          Name                   IP address      Subnet mask                    Method
Management0/0            management  10.1.5.10    255.255.255.248                        CONFIG
TenGigabitEthernet1/0.1  pub              10.1.1.1       255.255.255.0                            CONFIG
TenGigabitEthernet1/0.2  prim             10.1.2.1      255.255.255.0                             CONFIG
TenGigabitEthernet1/0.3  acs                 10.1.3.1      255.255.255.0                             CONFIG
TenGigabitEthernet1/0.4  priv                10.1.4.1      255.255.255.0                            CONFIG

ASAINB # show nameif
Interface                         Name                        Security
Management0/0              management               100
TenGigabitEthernet1/0.1    pub                           55
TenGigabitEthernet1/0.2    prim                          50
TenGigabitEthernet1/0.3    acs                           100
TenGigabitEthernet1/0.4    priv                          65

How to check Routes and arp on the ASA firewall.

1.Check active route in the routing table for a particular destination
 
ASAINB # show route 10.1.4.9
 
Routing entry for 10.1.4.0 255.255.255.0
  Known via “connected”, distance 0, metric 0 (connected, via interface)
  Routing Descriptor Blocks:
  * directly connected, via priv
      Route metric is 0, traffic share count is 1
 
2. Check if the route is present in the running configuration for a specific destination
 
ASAINB # show run route | include 10.70.4.9
route priv 10.70.4.9 255.255.255.255 10.100.4.2
 
3. Check if the designation is on directly connected on Layer2 segment and if it’s ARP is learned on the firewall
ASAINB # show arp | include 10.100.4.9
        priv 10.100.4.9 0050.5696.7e49 59

Capture  packets on ASA interface to check if the packets are seen on ASA for a specific source and destination

1. Find the source and destination IP / subnet and if possible the TCP/ UDP ports involved
2.  Apply captures on an incoming interface to check if the packets are arriving from source and then apply it on outgoing interface to see if the packets are sent out

ASAINB # capture <name of capture> interface <name of interface>match ip host <source ip> host <destination ip>

For more options use ? at each option on the firewall command-line interface

Example

ASAINB # capture mycap interface priv match ip host 192.168.161.78 host 10.70.4.9

3. Check the captures on CLI

ASAINB # show cap <name of capture>

ASAINB # show cap mycap

19 packets captured

1: 09:05:04.909544       802.1Q vlan#681 P6 192.168.161.78.51202 > 10.70.4.9.21: . ack 4084884520 win 3893
2: 09:05:04.909758       802.1Q vlan#681 P0 10.70.4.9.21 > 192.168.161.78.51202: . ack 1611391851 win 14600
3: 09:06:04.945507       802.1Q vlan#681 P6 192.168.161.78.51202 > 10.70.4.9.21: . ack 4084884520 win 3893
4: 09:06:04.945736       802.1Q vlan#681 P0 10.70.4.9.21 > 192.168.161.78.51202: . ack 1611391851 win 14600
5: 09:07:04.764761       802.1Q vlan#681 P0 10.70.4.9.21 > 192.168.161.78.51202: P 4084884520:4084884534(14) ack 1611391851 win 14600
6: 09:07:04.767477       802.1Q vlan#681 P0 10.70.4.9.21 > 192.168.161.78.51202: F 4084884534:4084884534(0) ack 1611391851 win 14600
7: 09:07:04.802738       802.1Q vlan#681 P6 192.168.161.78.51202 > 10.70.4.9.21: . ack 4084884535 win 3879
8: 09:07:04.804279       802.1Q vlan#681 P6 192.168.161.78.51202 > 10.70.4.9.21: FP 1611391851:1611391851(0) ack 4084884535 win 3879
9: 09:07:04.804417       802.1Q vlan#681 P0 10.70.4.9.21 > 192.168.161.78.51202: . ack 1611391852 win 14600
10: 12:02:38.681269       802.1Q vlan#681 P0 192.168.161.78 > 10.70.4.9: icmp: echo request
11: 12:02:38.681605       802.1Q vlan#681 P0 10.70.4.9 > 192.168.161.78: icmp: echo reply
12: 12:02:38.721489       802.1Q vlan#681 P0 192.168.161.78 > 10.70.4.9: icmp: echo request
13: 12:02:38.721611       802.1Q vlan#681 P0 10.70.4.9 > 192.168.161.78: icmp: echo reply
14: 12:02:38.761557       802.1Q vlan#681 P0 192.168.161.78 > 10.70.4.9: icmp: echo request
15: 12:02:38.761648       802.1Q vlan#681 P0 10.70.4.9 > 192.168.161.78: icmp: echo reply
16: 12:02:38.801640       802.1Q vlan#681 P0 192.168.161.78 > 10.70.4.9: icmp: echo request
17: 12:02:38.801731       802.1Q vlan#681 P0 10.70.4.9 > 192.168.161.78: icmp: echo reply
18: 12:02:38.841707       802.1Q vlan#681 P0 192.168.161.78 > 10.70.4.9: icmp: echo request
19: 12:02:38.841814       802.1Q vlan#681 P0 10.70.4.9 > 192.168.161.78: icmp: echo reply
19 packets shown

4. Export the capture from the firewall to view in Wireshark

Using the https

If you have enabled HTTP server on ASA to go to your browser and give the following in the URL field

https:// <ip address of asa>/capture/<capname>/pcap

Export via copy command

copy /pcap capture:

disk
flash
FTP
smb
system
TFTP

Example

ASAINB # copy /pcap capture: flash:

Source capture name []? mycap

Destination filename [mycap]? mycap
!
19 packets copied in 0.10 secs

Capture IPv6 traffic on ASA firewall

1.Configure access-list with source and destination IP/ subnet
ASAINB (config)# show access-list test-cap
 
access-list test-cap extended permit ip host 2005:200:802:689::1 any6
 
2.Apply the ACL in the capture
 
ASAINB (config)# show cap
capture test access-list test-cap interface outside
 
3.Send test traffic
 
ASAINB (config)# ping outside 2005:200:802:689::6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2005:200:802:689::6, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
 
4.View the capture
 
ASAINB (config)# show cap test
 
9 packets captured
 
   1: 10:31:56.217441       2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
   2: 10:31:57.210285       2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
   3: 10:31:58.209950       2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
   4: 10:32:00.209950       2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
   5: 10:32:01.209904       2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
   6: 10:32:02.209950       2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
   7: 10:32:04.209950       2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
   8: 10:32:05.209904       2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
   9: 10:32:06.209965       2005:200:802:689::1 > ff02::1:ff00:6: icmp6: neighbor sol: who has 2005:200:802:689::6 [class 0xe0]
9 packets shown

Troubleshooting Access Problems Using Packet-Tracer

Packet-tracer is available both from the CLI and in the ASDM. The ASDM version includes and the ability to navigate quickly to a failed policy.

Here is the CLI syntax:

#packet-tracer input [src_int] protocol src_addr src_port dest_addr  dest_port [detailed]

An example output is shown below. This tool shows some of the most useful features. Not only does the tool show the result of an ACL evaluation, but also the specific ACE that either permits or denies the packet, including a hit on the implicit deny.

ASAINB #packet-tracer input pub tcp 10.140.0.17 1002 10.70.4.46 1002 det

Phase: 1
Type: CAPTURE  There is a capture setup for this traffic
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x7fffc26734a0, priority=13, domain=capture, deny=false
hits=14633546662, user_data=0x7fffc2705270, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=pub, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x7fff96dd8fa0, priority=1, domain=permit, deny=false
hits=51585156773, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=pub, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.100.4.2 using egress ifc  priv

Phase: 4
Type: ACCESS-LIST <- Ingress interface  ACL check
Subtype: log
Result: ALLOW
Config:
access-group pub_access_in in interface pub
access-list pub_access_in extended permit tcp object-group HP_HG object H_AD object-group HP_SERVICES
access-list pub_access_in remark Discription: HP connectivity
object-group network HP_HG
network-object object H_10.140.0.14
network-object object H_10.140.0.12
network-object object H_10.140.0.17
network-object object H_10.140.0.18
object-group service HP_SERVICES tcp
port-object eq 1002
port-object eq 3001
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x7fffcaa13670, priority=13, domain=permit, deny=false
hits=9, user_data=0x7fff9c531440, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=10.140.0.17, mask=255.255.255.255, port=0, tag=any
dst ip/id=10.70.4.46, mask=255.255.255.255, port=1002, tag=any, dscp=0x0
input_ifc=pub, output_ifc=any

Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x7fff85712500, priority=7, domain=conn-set, deny=false
hits=1584067435, user_data=0x7fff856f7810, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=pub, output_ifc=any

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x7fffb53214a0, priority=0, domain=nat-per-session, deny=false
hits=2548149073, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x7fff96ddf3b0, priority=0, domain=inspect-ip-options, deny=true
hits=1484564486, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=pub, output_ifc=any

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x7fff96dd5870, priority=20, domain=lu, deny=false
hits=1214058922, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=pub, output_ifc=any

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff856dffc0, priority=0, domain=user-statistics, deny=false
hits=88671632, user_data=0x7fff8ab43b20, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=priv

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0x7fffb53214a0, priority=0, domain=nat-per-session, deny=false
hits=2548149075, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0x7fffbedf4c40, priority=0, domain=inspect-ip-options, deny=true
hits=88125839, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=priv, output_ifc=any

Phase: 12
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7fff856e82d0, priority=0, domain=user-statistics, deny=false
hits=1780977342, user_data=0x7fff8ab43b20, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=pub

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2406214503, packet dispatched to next module
Module information for forward flow …
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow …
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: pub
input-status: up
input-line-status: up
output-interface: priv
output-status: up
output-line-status: up
Action: allow