! Telnet From R1 to R2 is allowed
ASA(config)# packet-tracer input inside tcp 10.0.0.1 1111 20.0.0.2 tel
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 20.0.0.0 255.255.255.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2999, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
! Telnet From R2 to R1 is DROPED
ASA(config)# packet-tracer input outside tcp 20.0.0.2 1111 10.0.0.1 tel
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
! Configure Access-list to permit OUT-IN Telnet Access (R2 to R1)
ASA(config)# access-list OUT-IN-TELNET permit tcp host 20.0.0.2 host 10.0.0.1 eq 23
ASA(config)# access-group OUT-IN-TELNET in interface outside
ASA(config)# show run access-list
access-list OUT-IN-TELNET extended permit tcp host 20.0.0.2 host 10.0.0.1 eq telnet
ASA(config)# show run access-group
access-group OUT-IN-TELNET in interface outside
! Telnet From R1 to R2 is allowed
ASA(config)# packet-tracer input inside tcp 10.0.0.1 1111 20.0.0.2 tel
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 20.0.0.0 255.255.255.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3000, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
! Telnet From R2 to R1 is allowed
ASA(config)# packet-tracer input outside tcp 20.0.0.2 1111 10.0.0.1 tel
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT-IN in interface outside
access-list OUT-IN extended permit ip host 20.0.0.2 host 10.0.0.1
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3001, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
! Very Usefull command to see Connections
ASA# show conn ?
address Enter this keyword to specify IP address
all Enter this keyword to show conns including to-the-box and
from-the-box
count Enter this keyword to show conn count only
detail Enter this keyword to show conn in detail
long Enter this keyword to show conn in long format
port Enter this keyword to specify port
protocol Enter this keyword to specify conn protocol
state Enter this keyword to specify conn state
user Enter this keyword to specify conn user
user-group Enter this keyword to specify conn user group
user-identity Enter this keyword to show user names
| Output modifiers
<cr>
