VFCNETASA01# packet-tracer input wan2 icmp 10.60.60.13 8 0 172.16.17.70 detail$ Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.10.10.253 using egress ifc inside900 Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside900,wan2) source static Net17_ServerGroup Net17_ServerGroup destination static Net60-IPSEC-VPN Net60-IPSEC-VPN no-proxy-arp route-lookup Additional Information: NAT divert to egress interface inside900 Untranslate 172.16.17.70/0 to 172.16.17.70/0 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group WAN2-ACCESS-IN in interface wan2 access-list WAN2-ACCESS-IN extended permit icmp any any Additional Information: Forward Flow based lookup yields rule: in id=0x7f37566e88c0, priority=13, domain=permit, deny=false hits=3075, user_data=0x7f374b1dd080, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=wan2, output_ifc=any Phase: 4 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection decrement-ttl service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x7f375876c910, priority=7, domain=conn-set, deny=false hits=2092504, user_data=0x7f3758768780, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=wan2, output_ifc=any Phase: 5 Type: NAT Subtype: Result: ALLOW Config: nat (inside900,wan2) source static Net17_ServerGroup Net17_ServerGroup destination static Net60-IPSEC-VPN Net60-IPSEC-VPN no-proxy-arp route-lookup Additional Information: Static translate 10.60.60.13/0 to 10.60.60.13/0 Forward Flow based lookup yields rule: in id=0x7f375a1b3860, priority=6, domain=nat, deny=false hits=1357, user_data=0x7f37591755b0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=10.60.60.0, mask=255.255.255.0, port=0, tag=any dst ip/id=172.16.17.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=wan2, output_ifc=inside900 Phase: 6 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f3755491d00, priority=0, domain=nat-per-session, deny=true hits=10270522, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f375621f320, priority=0, domain=inspect-ip-options, deny=true hits=10895655, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=wan2, output_ifc=any Phase: 8 Type: CP-PUNT Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f37581c7540, priority=79, domain=punt, deny=true hits=1, user_data=0x7f375508c7f0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=10.60.60.13, mask=255.255.255.255, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=wan2, output_ifc=any Phase: 9 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x7f37584aeed0, priority=70, domain=inspect-icmp, deny=false hits=117808, user_data=0x7f37584abd90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=wan2, output_ifc=any Phase: 10 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f3758757f50, priority=70, domain=inspect-icmp-error, deny=false hits=117808, user_data=0x7f3758754e10, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=wan2, output_ifc=any Phase: 11 Type: INSPECT Subtype: inspect-ftp Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default inspect ftp service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x7f3758258c20, priority=70, domain=inspect-ftp, deny=false hits=1793759, user_data=0x7f3758256400, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=wan2, output_ifc=any Phase: 12 Type: VPN Subtype: ipsec-tunnel-flow Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: in id=0x7f375a19a380, priority=69, domain=ipsec-tunnel-flow, deny=false hits=1, user_data=0x2e8adc, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=10.60.60.13, mask=255.255.255.255, port=0, tag=any dst ip/id=172.16.17.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=wan2, output_ifc=any Result: input-interface: wan2 input-status: up input-line-status: up output-interface: inside900 output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule