asav-test3# packet-tracer input outside icmp 192.168.50.1 0 8 10.100$ Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.100.193.1 using egress ifc inside Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,outside) source static any any destination static vpn_client vpn_client no-proxy-arp route-lookup Additional Information: NAT divert to egress interface inside Untranslate 10.100.32.54/0 to 10.100.32.54/0 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside_access_in in interface outside access-list outside_access_in extended permit ip any any Additional Information: Forward Flow based lookup yields rule: in id=0x7ff9a44d4950, priority=13, domain=permit, deny=false hits=3, user_data=0x7ff9bc419000, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 4 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static any any destination static vpn_client vpn_client no-proxy-arp route-lookup Additional Information: Static translate 192.168.50.1/0 to 192.168.50.1/0 Forward Flow based lookup yields rule: in id=0x7ff9b17c5e60, priority=6, domain=nat, deny=false hits=22678, user_data=0x7ff9b10c32b0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.50.0, mask=255.255.255.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=inside Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ff9b10b3f80, priority=0, domain=nat-per-session, deny=true hits=15254, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ff9a44fa120, priority=0, domain=inspect-ip-options, deny=true hits=27611, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 7 Type: CP-PUNT Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ff9b17b55d0, priority=89, domain=punt, deny=true hits=419, user_data=0x7ff9b0e8a1b0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.50.1, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 8 Type: VPN Subtype: ipsec-tunnel-flow Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ff9a4454ed0, priority=69, domain=ipsec-tunnel-flow, deny=false hits=179, user_data=0x155b4, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=192.168.50.1, mask=255.255.255.255, port=0, tag=any dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule asav-test3# packet-tracer input outside icmp 192.168.50.1 0 8 10.100$ Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.100.193.1 using egress ifc inside Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,outside) source static any any destination static vpn_client vpn_client no-proxy-arp route-lookup Additional Information: NAT divert to egress interface inside Untranslate 10.100.193.1/0 to 10.100.193.1/0 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside_access_in in interface outside access-list outside_access_in extended permit ip any any Additional Information: Forward Flow based lookup yields rule: in id=0x7ff9a44d4950, priority=13, domain=permit, deny=false hits=4, user_data=0x7ff9bc419000, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 4 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static any any destination static vpn_client vpn_client no-proxy-arp route-lookup Additional Information: Static translate 192.168.50.1/0 to 192.168.50.1/0 Forward Flow based lookup yields rule: in id=0x7ff9b17c5e60, priority=6, domain=nat, deny=false hits=22738, user_data=0x7ff9b10c32b0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.50.0, mask=255.255.255.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=inside Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ff9b10b3f80, priority=0, domain=nat-per-session, deny=true hits=15293, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ff9a44fa120, priority=0, domain=inspect-ip-options, deny=true hits=27671, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 7 Type: CP-PUNT Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ff9b17b55d0, priority=89, domain=punt, deny=true hits=479, user_data=0x7ff9b0e8a1b0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.50.1, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Phase: 8 Type: VPN Subtype: ipsec-tunnel-flow Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7ff9a4454ed0, priority=69, domain=ipsec-tunnel-flow, deny=false hits=200, user_data=0x155b4, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=192.168.50.1, mask=255.255.255.255, port=0, tag=any dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=outside, output_ifc=any Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule asav-test3#