*Packet Tracer Switch Commands
*How To Open Command Prompt In Packet Tracer
*Packet Tracer Command Prompt Clear Screen
*Command Prompt Packet Tracer
Cisco ASA includes a very nice feature since the 7.2(1)-release; packet-tracer.
*Click on the PC, click the Desktop tab, and then click CMD Command Prompt. At the CMD prompt, type telnet 192.168.1.1 and press Enter to connect to the device. Enter the user name and password you created during the setup of the connection.
*In the above line password is the command followed by your desired password. Login command is used for enforcing the console password before accessing user exe mode. If you do not enter login command after setting password for line console then router will not.
In short, you can inject and trace a packet as it progresses through the security features of the Cisco ASA appliance and quickly determine wether or not the packet will pass.
I often use it to verify traffic passing through firewall rules, NAT-rules and VPN, but its uses is not limited to these three common troubleshooting steps.
SSH (Secure Shell) is one of the most used protocols in network World. As a secured alternative of Telnet, SSH is always in the life of a network engineer. It helps us to connect our routers, swithces and any other network equipments. Verify connectivity. Access the Desktop tab Web Browser of each PC and enter the URL.
Command structurepacket-tracer input <source interface> <protocol> <source IP> <source port> <destination IP> <destination port> [detailed]
Useful commands to be used in conjunction with the packet-tracer is “clear conn” and “clear xlate” to clear connection table and NAT-table.
*NOTE: You will obviously kill all IP-sessions running through the appliance using the clear-commands. So use it at your own risk and don’t blame me if your users comes running after you wielding pitch forks and torches. ,)
ExampleFollowing is an example of a packet-trace to a web-server through a VPN-tunnel, without the “detailed”-option.My comments in red.
CiscoASA# packet-tracer input inside tcp 10.20.30.40 54444 10.50.60.70 http
Phase: 1Type: ACCESS-LISTSubtype:Result: ALLOWConfig:Implicit RuleAdditional Information:MAC Access list
Phase: 2Type: FLOW-LOOKUPSubtype:Result: ALLOWConfig:Additional Information:Found no matching flow, creating a new flow
Phase: 3Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in 0.0.0.0 0.0.0.0 outside
Phase: 4Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group ACL-inside-in in interface insideaccess-list ACL001f-inside-in extended permit ip any anyAdditional Information:
Phase: 5Type: IP-OPTIONSSubtype:Result: ALLOWConfig:Additional Information:
Phase: 6Type: INSPECTSubtype: np-inspectResult: ALLOWConfig:class-map inspection_defaultmatch default-inspection-trafficpolicy-map global_policyclass inspection_defaultinspect httpservice-policy global_policy globalAdditional Information:
Phase: 7Type: NAT-EXEMPTSubtype:Result: ALLOWConfig:nat-controlmatch ip inside 10.20.30.0 255.255.255.0 outside 10.40.50.0 255.255.255.0NAT exempttranslate_hits = 51480, untranslate_hits = 854212Additional Information:THE TRAFFIC IS NOT NATED, EVEN THOUGH PHASE 8/9 RESULTS YIELDS RESULT “ALLOW”.
Phase: 8Type: NATSubtype: host-limitsResult: ALLOWConfig:nat (inside) 1 access-list inside_nat_outboundnat-controlmatch ip inside 10.20.30.0 255.255.255.0 outside host 10.2.2.10dynamic translation to pool 1 (200.200.200.200 [Interface PAT])translate_hits = 0, untranslate_hits = 0Additional Information:
Phase: 9Type: NATSubtype:Result: ALLOWConfig:nat (inside) 1 10.20.30.0 255.255.255.0nat-controlmatch ip inside 10.20.30.0 255.255.255.0 outside anydynamic translation to pool 1 (200.200.200.200 [Interface PAT])translate_hits = 3205631, untranslate_hits = 383007Additional Information:
Phase: 10Type: VPNSubtype: encryptResult: ALLOWConfig:Additional Information: TRAFFIC MATCHES VPN AND WILL BE ENCRYPTED
Phase: 11Type: VPNSubtype: ipsec-tunnel-flowResult: ALLOWConfig:Additional Information:
Phase: 12Type: IP-OPTIONSSubtype:Result: ALLOWConfig:Additional Information:
Phase: 13Type: FLOW-CREATIONSubtype:Result: ALLOWConfig:Additional Information:New flow created with id 10948889, packet dispatched to next module
Result:input-interface: insideinput-status: upinput-line-status: upoutput-interface: outsideoutput-status: upoutput-line-status: upAction: allow FINAL ACTION IS ALLOW WHICH MEANS THE PACKET IS NOT STOPPED IN CONFIGURATION AND WILL BE PASSED ON.
If I try to run the same command again, we will see it matches an existing flow in phase 2 and promptly passed on.
CiscoASA# packet-tracer input inside tcp 10.20.30.40 54444 10.50.60.70 http
Phase: 1Type: ACCESS-LISTSubtype:Result: ALLOWConfig:Implicit RuleAdditional Information:MAC Access listPacket Tracer Switch Commands
Phase: 2Type: FLOW-LOOKUPSubtype:Result: ALLOWConfig:Additional Information:Found flow with id 10953078, using existing flow
Result:input-interface: insideinput-status: upinput-line-status: upAction: allow
Packet tracer via ASDM / GUIYou can also find the packet-tracer is ASDM via “Tools > Packet Tracer”:9.2.3.3 Packet Tracer – Using the Ping Command AnswersPacket Tracer – Using the Ping Command (Answers Version)
Answers Note: Red font color or gray highlights indicate text that appears in the Answers copy only.TopologyObjectives
Use the ping command to identify an incorrect configuration on a PC.How To Open Command Prompt In Packet TracerBackground / Scenario
A small business owner learns that some users are unable to access a website. All PCs are configured with static IP addressing. Use the ping command to identify the issue.Step 1: Verify connectivity.
Access the Desktop tab > Web Browser of each PC and enter the URL www.cisco.pka. Identify any PCs that are not connecting to the web server.
Note: All of the devices require time to complete the boot process. Please allow up to one minute before receiving a web response.
Which PCs are unable to connect to the web server?_____________ PC2Step 2: Ping the web server from PC2.
*On PC2, access the Command Prompt from the Desktop tab.
*Type ping www.cisco.pka.Did the ping return a reply? What is the IP address displayed in the reply, if any?____________________________________________________________________________________There was no reply. No IP address was displayed in the message.Step 3: Ping the web server from PC1.
*On PC1, access the Command Prompt from the Desktop tab.
*Type ping www.cisco.pka.
*Did the ping return a reply? What is the IP address returned, if any?____________________________________________________________________________________Reply was returned with 192.15.2.10 as the IP address for www.cisco.pka.Packet Tracer Command Prompt Clear ScreenStep 4: Ping the IP address of the web server from PC2.
*On PC2, access the Command Prompt from the Desktop tab.
*Attempt to reach the IP address of the web server with the command ping 192.15.2.10.
*Did the ping return a reply? If so, then PC2 is able to reach the web server via IP address, but not domain name. This could indicate a problem with the DNS server configuration on PC2.Step 5: Compare the DNS server information on PC2 with other PCs on the local network.
*Access the Command Prompt of PC1.
*Using the command ipconfig /all, examine the DNS server configuration on PC1.
*Access the Command Prompt of PC2.
*Using the command ipconfig /all, examine the DNS server configuration on PC2. Do the two configurations match?Step 6: Make any necessary configuration changes on PC2.Command Prompt Packet Tracer
*Navigate to the Desktop tab of PC2, make any necessary configuration changes in IP Configuration.
*Using the Web Browser within the Desktop tab, connect to www.cisco.pka to verify that the configuration changes resolved the problem.
*Click the Check Results button at the bottom of this instruction window to check your work.
