TNG-UPH-A-FW-08-01/Internet# !--> using Inside Interface TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# packet-tracer input inside icmp 192.168.27.52 8 0$ Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 122.200.3.246 using egress ifc Outside10G Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (Inside,Outside10G) source static SiteToSiteMeraki_LocalNetwork SiteToSiteMeraki_LocalNetwork destination static SiteToSiteMeraki_SBY-2Network SiteToSiteMeraki_SBY-2Network no-proxy-arp route-lookup Additional Information: NAT divert to egress interface Outside10G Untranslate 10.8.14.1/0 to 10.8.14.1/0 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group Inside_access_in in interface Inside access-list Inside_access_in extended permit icmp any any Additional Information: Forward Flow based lookup yields rule: in id=0xff780ac4f0, priority=13, domain=permit, deny=false hits=4933671413, user_data=0x559100b580, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 4 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection decrement-ttl service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0xffc04c2d80, priority=7, domain=conn-set, deny=false hits=63914034406, user_data=0xffc04c0910, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 5 Type: NAT Subtype: Result: ALLOW Config: nat (Inside,Outside10G) source static SiteToSiteMeraki_LocalNetwork SiteToSiteMeraki_LocalNetwork destination static SiteToSiteMeraki_SBY-2Network SiteToSiteMeraki_SBY-2Network no-proxy-arp route-lookup Additional Information: Static translate 192.168.27.52/0 to 192.168.27.52/0 Forward Flow based lookup yields rule: in id=0xffd0a90010, priority=6, domain=nat, deny=false hits=3022, user_data=0xff98242b60, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.27.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.8.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=Outside10G Phase: 6 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xffca498950, priority=0, domain=nat-per-session, deny=true hits=27627732275, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xffe92a4040, priority=0, domain=inspect-ip-options, deny=true hits=65293585741, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 8 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group Inside_access_in in interface Inside access-list Inside_access_in extended permit icmp any any Additional Information: Forward Flow based lookup yields rule: in id=0xff780ac4f0, priority=13, domain=permit, deny=false hits=4933671414, user_data=0x559100b580, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 9 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection decrement-ttl service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0xffc04c2d80, priority=7, domain=conn-set, deny=false hits=63914034406, user_data=0xffc04c0910, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 10 Type: NAT Subtype: Result: ALLOW Config: nat (Inside,Outside10G) source static SiteToSiteMeraki_LocalNetwork SiteToSiteMeraki_LocalNetwork destination static SiteToSiteMeraki_SBY-2Network SiteToSiteMeraki_SBY-2Network no-proxy-arp route-lookup Additional Information: Static translate 192.168.27.52/0 to 192.168.27.52/0 Forward Flow based lookup yields rule: in id=0xffd0a90010, priority=6, domain=nat, deny=false hits=3022, user_data=0xff98242b60, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.27.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.8.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=Outside10G Phase: 11 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xffca498950, priority=0, domain=nat-per-session, deny=true hits=27627732275, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 12 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xffe92a4040, priority=0, domain=inspect-ip-options, deny=true hits=65293585741, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 13 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0xffc04b7760, priority=70, domain=inspect-icmp, deny=false hits=6973921032, user_data=0xffc04b6cd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 14 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xffc04bd2b0, priority=70, domain=inspect-icmp-error, deny=false hits=6973921032, user_data=0xffc04bc820, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 15 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0xff6744c7b0, priority=70, domain=encrypt, deny=false hits=93, user_data=0x7e95302c, cs_id=0xffc72e1ee0, reverse, flags=0x0, protocol=0 src ip/id=192.168.27.52, mask=255.255.255.255, port=0, tag=any dst ip/id=10.8.14.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=Outside10G Phase: 16 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (Inside,Outside10G) source static SiteToSiteMeraki_LocalNetwork SiteToSiteMeraki_LocalNetwork destination static SiteToSiteMeraki_SBY-2Network SiteToSiteMeraki_SBY-2Network no-proxy-arp route-lookup Additional Information: Forward Flow based lookup yields rule: out id=0xffd2e48f90, priority=6, domain=nat-reverse, deny=false hits=2932, user_data=0xffba128380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=192.168.27.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.8.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=Outside10G Phase: 17 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xffc1bd60f0, priority=70, domain=ipsec-tunnel-flow, deny=false hits=93, user_data=0x7e9551ec, cs_id=0xffc72e1ee0, reverse, flags=0x0, protocol=0 src ip/id=10.8.14.0, mask=255.255.255.0, port=0, tag=any dst ip/id=192.168.27.52, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=Outside10G, output_ifc=any Phase: 18 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xffca498950, priority=0, domain=nat-per-session, deny=true hits=27627732277, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 19 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xffc4ff36a0, priority=0, domain=inspect-ip-options, deny=true hits=39071780137, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Outside10G, output_ifc=any Phase: 20 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 2679830557, packet dispatched to next module Module information for forward flow ... snp_fp_inspect_ip_options snp_fp_inspect_icmp snp_fp_translate snp_fp_adjacency snp_fp_encrypt snp_fp_fragment Result: input-interface: Inside input-status: up input-line-status: up output-interface: Outside10G output-status: up output-line-status: up Action: allow TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# packet-tracer input inside icmp 10.0.210.20 8 0 1$ Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 122.200.3.246 using egress ifc Outside10G Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (Inside,Outside10G) source static SiteToSiteMeraki_LocalNetwork SiteToSiteMeraki_LocalNetwork destination static SiteToSiteMeraki_SBY-2Network SiteToSiteMeraki_SBY-2Network no-proxy-arp route-lookup Additional Information: NAT divert to egress interface Outside10G Untranslate 10.8.14.1/0 to 10.8.14.1/0 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group Inside_access_in in interface Inside access-list Inside_access_in extended permit icmp any any Additional Information: Forward Flow based lookup yields rule: in id=0xff780ac4f0, priority=13, domain=permit, deny=false hits=4933672689, user_data=0x559100b580, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 4 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection decrement-ttl service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0xffc04c2d80, priority=7, domain=conn-set, deny=false hits=63914039108, user_data=0xffc04c0910, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 5 Type: NAT Subtype: Result: ALLOW Config: nat (Inside,Outside10G) source static SiteToSiteMeraki_LocalNetwork SiteToSiteMeraki_LocalNetwork destination static SiteToSiteMeraki_SBY-2Network SiteToSiteMeraki_SBY-2Network no-proxy-arp route-lookup Additional Information: Static translate 10.0.210.20/0 to 10.0.210.20/0 Forward Flow based lookup yields rule: in id=0xffd2702bb0, priority=6, domain=nat, deny=false hits=2029, user_data=0xff98242b60, cs_id=0x0, flags=0x0, protocol=0 src ip/id=10.0.210.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.8.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=Outside10G Phase: 6 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xffca498950, priority=0, domain=nat-per-session, deny=true hits=27627734775, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xffe92a4040, priority=0, domain=inspect-ip-options, deny=true hits=65293590748, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 8 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group Inside_access_in in interface Inside access-list Inside_access_in extended permit icmp any any Additional Information: Forward Flow based lookup yields rule: in id=0xff780ac4f0, priority=13, domain=permit, deny=false hits=4933672690, user_data=0x559100b580, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 9 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection decrement-ttl service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0xffc04c2d80, priority=7, domain=conn-set, deny=false hits=63914039108, user_data=0xffc04c0910, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 10 Type: NAT Subtype: Result: ALLOW Config: nat (Inside,Outside10G) source static SiteToSiteMeraki_LocalNetwork SiteToSiteMeraki_LocalNetwork destination static SiteToSiteMeraki_SBY-2Network SiteToSiteMeraki_SBY-2Network no-proxy-arp route-lookup Additional Information: Static translate 10.0.210.20/0 to 10.0.210.20/0 Forward Flow based lookup yields rule: in id=0xffd2702bb0, priority=6, domain=nat, deny=false hits=2029, user_data=0xff98242b60, cs_id=0x0, flags=0x0, protocol=0 src ip/id=10.0.210.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.8.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=Outside10G Phase: 11 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xffca498950, priority=0, domain=nat-per-session, deny=true hits=27627734775, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 12 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xffe92a4040, priority=0, domain=inspect-ip-options, deny=true hits=65293590748, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 13 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0xffc04b7760, priority=70, domain=inspect-icmp, deny=false hits=6973921707, user_data=0xffc04b6cd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 14 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xffc04bd2b0, priority=70, domain=inspect-icmp-error, deny=false hits=6973921707, user_data=0xffc04bc820, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=any Phase: 15 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0xffba730a00, priority=70, domain=encrypt, deny=false hits=93, user_data=0x75d9b8dc, cs_id=0xffc72e1ee0, reverse, flags=0x0, protocol=0 src ip/id=10.0.210.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.8.14.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=Outside10G Phase: 16 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (Inside,Outside10G) source static SiteToSiteMeraki_LocalNetwork SiteToSiteMeraki_LocalNetwork destination static SiteToSiteMeraki_SBY-2Network SiteToSiteMeraki_SBY-2Network no-proxy-arp route-lookup Additional Information: Forward Flow based lookup yields rule: out id=0xffd1d3ad00, priority=6, domain=nat-reverse, deny=false hits=2018, user_data=0xffba128380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=10.0.210.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.8.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0 input_ifc=Inside, output_ifc=Outside10G Phase: 17 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xffbbf07b30, priority=70, domain=ipsec-tunnel-flow, deny=false hits=93, user_data=0x75d9c4dc, cs_id=0xffc72e1ee0, reverse, flags=0x0, protocol=0 src ip/id=10.8.14.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.0.210.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=Outside10G, output_ifc=any Phase: 18 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xffca498950, priority=0, domain=nat-per-session, deny=true hits=27627734777, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 19 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xffc4ff36a0, priority=0, domain=inspect-ip-options, deny=true hits=39071784401, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Outside10G, output_ifc=any Phase: 20 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 2679834197, packet dispatched to next module Module information for forward flow ... snp_fp_inspect_ip_options snp_fp_inspect_icmp snp_fp_translate snp_fp_adjacency snp_fp_encrypt snp_fp_fragment snp_fp_tracer_drop Result: input-interface: Inside input-status: up input-line-status: up output-interface: Outside10G output-status: up output-line-status: up Action: allow TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# !---> using Outside Interface TNG-UPH-A-FW-08-01/Internet# !--> As SOURCE TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# packet-tracer input Outside10G icmp 192.168.27.52$ Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 122.200.3.246 using egress ifc Outside10G Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xffc4fecea0, priority=111, domain=permit, deny=true hits=216, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Outside10G, output_ifc=Outside10G Result: input-interface: Outside10G input-status: up input-line-status: up output-interface: Outside10G output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# packet-tracer input Outside10G icmp 10.0.210.20 8$ Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 122.200.3.246 using egress ifc Outside10G Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xffc4fecea0, priority=111, domain=permit, deny=true hits=217, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Outside10G, output_ifc=Outside10G Result: input-interface: Outside10G input-status: up input-line-status: up output-interface: Outside10G output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# !--> Show vpn-session TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# sh vpn-sessiondb detail l2l filter ipaddress 117.$ Session Type: LAN-to-LAN Detailed Connection : 117.102.75.130 Index : 140669 IP Addr : 117.102.75.130 Protocol : IKEv1 IPsec Encryption : IKEv1: (1)3DES IPsec: (5)AES256 Hashing : IKEv1: (1)SHA1 IPsec: (5)SHA1 Bytes Tx : 8965277 Bytes Rx : 4106494 Login Time : 15:10:11 WIB Wed Mar 27 2024 Duration : 14h:04m:42s IKEv1 Tunnels: 1 IPsec Tunnels: 5 IKEv1: Tunnel ID : 140669.1 UDP Src Port : 500 UDP Dst Port : 500 IKE Neg Mode : Main Auth Mode : preSharedKeys Encryption : 3DES Hashing : SHA1 Rekey Int (T): 12800 Seconds Rekey Left(T): 10119 Seconds D/H Group : 2 Filter Name : IPsec: Tunnel ID : 140669.3 Local Addr : 122.200.12.34/255.255.255.255/0/0 Remote Addr : 10.8.0.0/255.255.0.0/0/0 Encryption : AES256 Hashing : SHA1 Encapsulation: Tunnel Rekey Int (T): 28800 Seconds Rekey Left(T): 5479 Seconds Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Bytes Tx : 608100 Bytes Rx : 0 Pkts Tx : 10135 Pkts Rx : 0 IPsec: Tunnel ID : 140669.14 Local Addr : 192.168.27.26/255.255.255.255/0/0 Remote Addr : 10.8.14.0/255.255.255.0/0/0 Encryption : AES256 Hashing : SHA1 Encapsulation: Tunnel Rekey Int (T): 28800 Seconds Rekey Left(T): 28462 Seconds Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes Bytes Tx : 7728 Bytes Rx : 7728 Pkts Tx : 92 Pkts Rx : 92 IPsec: Tunnel ID : 140669.15 Local Addr : 10.0.210.0/255.255.255.0/0/0 Remote Addr : 10.8.14.0/255.255.255.0/0/0 Encryption : AES256 Hashing : SHA1 Encapsulation: Tunnel Rekey Int (T): 28800 Seconds Rekey Left(T): 28462 Seconds Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Bytes Tx : 7756 Bytes Rx : 7728 Pkts Tx : 93 Pkts Rx : 92 IPsec: Tunnel ID : 140669.16 Local Addr : 192.168.27.52/255.255.255.255/0/0 Remote Addr : 10.8.14.0/255.255.255.0/0/0 Encryption : AES256 Hashing : SHA1 Encapsulation: Tunnel Rekey Int (T): 28800 Seconds Rekey Left(T): 28462 Seconds Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes Bytes Tx : 7756 Bytes Rx : 7728 Pkts Tx : 93 Pkts Rx : 92 IPsec: Tunnel ID : 140669.17 Local Addr : 192.168.27.184/255.255.255.255/0/0 Remote Addr : 10.8.14.0/255.255.255.0/0/0 Encryption : AES256 Hashing : SHA1 Encapsulation: Tunnel Rekey Int (T): 28800 Seconds Rekey Left(T): 28463 Seconds Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes Bytes Tx : 7728 Bytes Rx : 7728 Pkts Tx : 92 Pkts Rx : 92 TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# !--> Sh Crypto IPSEC TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# show crypto ipsec sa peer 117.102.75.130 detail peer address: 117.102.75.130 Crypto map tag: VPN-S2SAzure-Map, seq num: 140, local addr: 122.200.3.245 access-list SBY-MX extended permit ip 10.0.210.0 255.255.255.0 10.8.0.0 255.255.0.0 local ident (addr/mask/prot/port): (10.0.210.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.8.14.0/255.255.255.0/0/0) current_peer: 117.102.75.130 #pkts encaps: 93, #pkts encrypt: 93, #pkts digest: 93 #pkts decaps: 92, #pkts decrypt: 92, #pkts verify: 92 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 93, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #pkts no sa (send): 0, #pkts invalid sa (rcv): 0 #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0 #pkts invalid prot (rcv): 0, #pkts verify failed: 0 #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 32767 #pkts invalid pad (rcv): 0, #pkts invalid ip version (send): 0, #pkts invalid ip version (rcv): 0 #pkts invalid len (send): 0, #pkts invalid len (rcv): 0 #pkts invalid ctx (send): 0, #pkts invalid ctx (rcv): 0 #pkts invalid ifc (send): 0, #pkts invalid ifc (rcv): 0 #pkts failed (send): 0, #pkts failed (rcv): 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0 #pkts replay failed (rcv): 0 #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0 #pkts internal err (send): 0, #pkts internal err (rcv): 0 local crypto endpt.: 122.200.3.245/0, remote crypto endpt.: 117.102.75.130/0 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: CC50137C current inbound spi : E80A2283 inbound esp sas: spi: 0xE80A2283 (3892978307) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 140669, crypto-map: VPN-S2SAzure-Map sa timing: remaining key lifetime (sec): 28446 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0xCC50137C (3427799932) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 140669, crypto-map: VPN-S2SAzure-Map sa timing: remaining key lifetime (sec): 28445 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: VPN-S2SAzure-Map, seq num: 140, local addr: 122.200.3.245 access-list SBY-MX extended permit ip host 122.200.12.34 10.8.0.0 255.255.0.0 local ident (addr/mask/prot/port): (122.200.12.34/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (10.8.0.0/255.255.0.0/0/0) current_peer: 117.102.75.130 #pkts encaps: 10138, #pkts encrypt: 10138, #pkts digest: 10138 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 10138, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #pkts no sa (send): 0, #pkts invalid sa (rcv): 0 #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0 #pkts invalid prot (rcv): 0, #pkts verify failed: 0 #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 32767 #pkts invalid pad (rcv): 0, #pkts invalid ip version (send): 0, #pkts invalid ip version (rcv): 0 #pkts invalid len (send): 0, #pkts invalid len (rcv): 0 #pkts invalid ctx (send): 0, #pkts invalid ctx (rcv): 0 #pkts invalid ifc (send): 0, #pkts invalid ifc (rcv): 0 #pkts failed (send): 0, #pkts failed (rcv): 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0 #pkts replay failed (rcv): 0 #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0 #pkts internal err (send): 0, #pkts internal err (rcv): 0 local crypto endpt.: 122.200.3.245/0, remote crypto endpt.: 117.102.75.130/0 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: CAC2284D current inbound spi : 16D4873F inbound esp sas: spi: 0x16D4873F (383027007) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 140669, crypto-map: VPN-S2SAzure-Map sa timing: remaining key lifetime (sec): 5462 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 outbound esp sas: spi: 0xCAC2284D (3401721933) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 140669, crypto-map: VPN-S2SAzure-Map sa timing: remaining key lifetime (sec): 5462 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: VPN-S2SAzure-Map, seq num: 140, local addr: 122.200.3.245 access-list SBY-MX extended permit ip 192.168.27.0 255.255.255.0 10.8.0.0 255.255.0.0 local ident (addr/mask/prot/port): (192.168.27.26/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (10.8.14.0/255.255.255.0/0/0) current_peer: 117.102.75.130 #pkts encaps: 92, #pkts encrypt: 92, #pkts digest: 92 #pkts decaps: 92, #pkts decrypt: 92, #pkts verify: 92 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 92, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #pkts no sa (send): 0, #pkts invalid sa (rcv): 0 #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0 #pkts invalid prot (rcv): 0, #pkts verify failed: 0 #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 32767 #pkts invalid pad (rcv): 0, #pkts invalid ip version (send): 0, #pkts invalid ip version (rcv): 0 #pkts invalid len (send): 0, #pkts invalid len (rcv): 0 #pkts invalid ctx (send): 0, #pkts invalid ctx (rcv): 0 #pkts invalid ifc (send): 0, #pkts invalid ifc (rcv): 0 #pkts failed (send): 0, #pkts failed (rcv): 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0 #pkts replay failed (rcv): 0 #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0 #pkts internal err (send): 0, #pkts internal err (rcv): 0 local crypto endpt.: 122.200.3.245/0, remote crypto endpt.: 117.102.75.130/0 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: C77CC15F current inbound spi : 6F63259C inbound esp sas: spi: 0x6F63259C (1868768668) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 140669, crypto-map: VPN-S2SAzure-Map sa timing: remaining key lifetime (sec): 28445 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0xC77CC15F (3346841951) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 140669, crypto-map: VPN-S2SAzure-Map sa timing: remaining key lifetime (sec): 28444 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: VPN-S2SAzure-Map, seq num: 140, local addr: 122.200.3.245 access-list SBY-MX extended permit ip 192.168.27.0 255.255.255.0 10.8.0.0 255.255.0.0 local ident (addr/mask/prot/port): (192.168.27.52/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (10.8.14.0/255.255.255.0/0/0) current_peer: 117.102.75.130 #pkts encaps: 93, #pkts encrypt: 93, #pkts digest: 93 #pkts decaps: 92, #pkts decrypt: 92, #pkts verify: 92 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 93, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #pkts no sa (send): 0, #pkts invalid sa (rcv): 0 #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0 #pkts invalid prot (rcv): 0, #pkts verify failed: 0 #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 32767 #pkts invalid pad (rcv): 0, #pkts invalid ip version (send): 0, #pkts invalid ip version (rcv): 0 #pkts invalid len (send): 0, #pkts invalid len (rcv): 0 #pkts invalid ctx (send): 0, #pkts invalid ctx (rcv): 0 #pkts invalid ifc (send): 0, #pkts invalid ifc (rcv): 0 #pkts failed (send): 0, #pkts failed (rcv): 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0 #pkts replay failed (rcv): 0 #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0 #pkts internal err (send): 0, #pkts internal err (rcv): 0 local crypto endpt.: 122.200.3.245/0, remote crypto endpt.: 117.102.75.130/0 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: C26A806F current inbound spi : 9E748161 inbound esp sas: spi: 0x9E748161 (2658435425) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 140669, crypto-map: VPN-S2SAzure-Map sa timing: remaining key lifetime (sec): 28444 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0xC26A806F (3261759599) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 140669, crypto-map: VPN-S2SAzure-Map sa timing: remaining key lifetime (sec): 28444 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: VPN-S2SAzure-Map, seq num: 140, local addr: 122.200.3.245 access-list SBY-MX extended permit ip 192.168.27.0 255.255.255.0 10.8.0.0 255.255.0.0 local ident (addr/mask/prot/port): (192.168.27.184/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (10.8.14.0/255.255.255.0/0/0) current_peer: 117.102.75.130 #pkts encaps: 92, #pkts encrypt: 92, #pkts digest: 92 #pkts decaps: 92, #pkts decrypt: 92, #pkts verify: 92 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 92, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #pkts no sa (send): 0, #pkts invalid sa (rcv): 0 #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0 #pkts invalid prot (rcv): 0, #pkts verify failed: 0 #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 32767 #pkts invalid pad (rcv): 0, #pkts invalid ip version (send): 0, #pkts invalid ip version (rcv): 0 #pkts invalid len (send): 0, #pkts invalid len (rcv): 0 #pkts invalid ctx (send): 0, #pkts invalid ctx (rcv): 0 #pkts invalid ifc (send): 0, #pkts invalid ifc (rcv): 0 #pkts failed (send): 0, #pkts failed (rcv): 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0 #pkts replay failed (rcv): 0 #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0 #pkts internal err (send): 0, #pkts internal err (rcv): 0 local crypto endpt.: 122.200.3.245/0, remote crypto endpt.: 117.102.75.130/0 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: C26BA7E3 current inbound spi : 10B3E2F7 inbound esp sas: spi: 0x10B3E2F7 (280224503) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 140669, crypto-map: VPN-S2SAzure-Map sa timing: remaining key lifetime (sec): 28445 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0xC26BA7E3 (3261835235) SA State: active transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 140669, crypto-map: VPN-S2SAzure-Map sa timing: remaining key lifetime (sec): 28445 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# TNG-UPH-A-FW-08-01/Internet# exit Logoff