<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: ASA5505 Config Assistance in Network Security</title>
    <link>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040337#M1067331</link>
    <description>Yeah, you are right. Can you provide the output of "show crypto ipsec sa"&lt;BR /&gt;&lt;BR /&gt;Run this packet-tracer twice and provide the full output of the second.&lt;BR /&gt;"packet-tracer input inside icmp 192.168.23.24 8 0 63.236.240.138 detailed"</description>
    <pubDate>Wed, 04 Mar 2020 17:29:35 GMT</pubDate>
    <dc:creator>Rob Ingram</dc:creator>
    <dc:date>2020-03-04T17:29:35Z</dc:date>
    <item>
      <title>ASA5505 Config Assistance</title>
      <link>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040314#M1067327</link>
      <description>&lt;P&gt;The organization I work for took over management of a network with ASA's which I have almost no experience with unfortunately.&amp;nbsp; What's also unfortunate is this host isn't covered by a SMARTnet contract (yet).&amp;nbsp; I'll boil the topology down to the two hosts where I believe the problem is, a 2911 and a 5505.&amp;nbsp; There is a VPN between these two hosts which they've been using for years.&amp;nbsp; All I'm trying to accomplish is sourcing a ping from a 2911 interface,&amp;nbsp;63.236.240.138 to a 5505 interface,&amp;nbsp;192.168.23.254 and eventually SSH to/from same.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I've attached the config of the 5505 and I can provide the 2911 config too but I think suspect the problem is on the 5505 side.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The first changes I made was adjusting the interesting traffic on both sides of the VPN.&amp;nbsp; Here is what I've added to the 5505:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;access-list VPN_TRAFFIC_ENCRYPTED extended permit icmp 192.168.23.0 255.255.255.0 host 63.236.240.138 &lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;access-list VPN_TRAFFIC_ENCRYPTED extended permit ip 192.168.23.0 255.255.255.0 host 63.236.240.138&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Both sides of the VPN look good after generating an ICMP echo from 63.236.240.138 to 192.168.23.254.&amp;nbsp; I see encaps on the 2911 and decaps on the 5505 however no encaps on the 5505 or decaps on the 2911.&amp;nbsp; At this point I believe the problem is firewall ruleset related so I made the below changes to allow this traffic but have little confidence aside from it didn't resolve the problem.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;object-group protocol MY_SERVICES&lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;&amp;nbsp;protocol-object ip&lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;&amp;nbsp;protocol-object icmp&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;object network KWD_NAT&lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;&amp;nbsp;host 63.236.240.138&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;object-group network MY_PREFIXES&lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;&amp;nbsp;network-object object KWD_NAT&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;object network CLIENT_LAN&lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;&amp;nbsp;subnet 192.168.23.0 255.255.255.0&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;access-list FIBER_access_in extended permit object-group MY_SERVICES object-group MY_PREFIXES object CLIENT_LAN&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;After some research I found these devices have a pretty handy tool to help isolate traffic drop issues so I executed the following with the drop specific section.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;packet-tracer input FIBER icmp 63.236.240.138 8 0 192.168.23.254 detailed&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Phase: 8&lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;Type: VPN&lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;Subtype: ipsec-tunnel-flow&lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;Result: DROP&lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;Config:&lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;Additional Information:&lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;&amp;nbsp;Forward Flow based lookup yields rule:&lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;&amp;nbsp;in id=0xcce0a860, priority=70, domain=ipsec-tunnel-flow, deny=false&lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; hits=3, user_data=0x8123c, cs_id=0xc84f4bd0, reverse, flags=0x0, protocol=1&lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; src ip/id=63.236.240.138, mask=255.255.255.255, icmp-type=0, tag=0&lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; dst ip/id=192.168.23.0, mask=255.255.255.0, icmp-code=0, tag=0, dscp=0x0&lt;/STRONG&gt;&lt;BR /&gt;&lt;STRONG&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; input_ifc=FIBER, output_ifc=any&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;After some additional reading I found some comments this tool isn't reliable when attempting to isolate VPN drops so I'm not sure if there is any value in the above.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I can't say with certainty but I'm suspicious of the ruleset.&amp;nbsp; I feel like the rule I created is wrong.&amp;nbsp; On other zone-based firewalls there would be a VPN zone with something like &lt;STRONG&gt;VPN_access_in&lt;/STRONG&gt; instead of &lt;STRONG&gt;FIBER_access_in&lt;/STRONG&gt;.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I'll take whatever help anyone can offer and can put me out of my misery.&amp;nbsp; I've spent so many hours researching this and I feel like it's a simple solution but I really don't like pulling over and asking for directions.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thank you in advance.&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 04 Mar 2020 16:55:46 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040314#M1067327</guid>
      <dc:creator>bed082571</dc:creator>
      <dc:date>2020-03-04T16:55:46Z</dc:date>
    </item>
    <item>
      <title>Re: ASA5505 Config Assistance</title>
      <link>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040319#M1067328</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;I imagine your outbound traffic is being natted, try adding a NAT exempt rule, e.g.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;PRE&gt;nat (inside,FIBER) source static CLIENT_LAN CLIENT_LAN destination static KWD_NAT KWD_NAT&lt;/PRE&gt;&lt;P&gt;Ensure this rule is above your default NAT rule. If still a problem, please provide the output of "show nat detail"&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;HTH&lt;/P&gt;</description>
      <pubDate>Wed, 04 Mar 2020 17:06:45 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040319#M1067328</guid>
      <dc:creator>Rob Ingram</dc:creator>
      <dc:date>2020-03-04T17:06:45Z</dc:date>
    </item>
    <item>
      <title>Re: ASA5505 Config Assistance</title>
      <link>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040330#M1067329</link>
      <description>&lt;P&gt;Doesn't the NAT below cover the same traffic your NAT does, this one is using a group object instead?&amp;nbsp; By the way, I've tried this with and without the no-proxy-arp.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;nat (inside,FIBER) source static CLIENT_LAN CLIENT_LAN destination static MY_PREFIXES MY_PREFIXES no-proxy-arp&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;show nat detail output:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Manual NAT Policies (Section 1)&lt;BR /&gt;1 (inside) to (FIBER) source static ND_SERVER ND_SERVER destination static FIS_NETWORK FIS_NETWORK&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; translate_hits = 0, untranslate_hits = 0&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; Source - Origin: 192.168.23.1/32, Translated: 192.168.23.1/32&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; Destination - Origin: 216.189.226.41/32, Translated: 216.189.226.41/32&lt;BR /&gt;2 (inside) to (FIBER) source static obj-192.168.23.0 obj-192.168.23.0 destination static DATA_CENTER DATA_CENTER&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; translate_hits = 4514181, untranslate_hits = 4538069&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; Source - Origin: 192.168.23.0/24, Translated: 192.168.23.0/24&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; Destination - Origin: 10.160.0.0/12, Translated: 10.160.0.0/12&lt;BR /&gt;3 (inside) to (FIBER) source static CLIENT_LAN CLIENT_LAN destination static MY_PREFIXES MY_PREFIXES no-proxy-arp&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; translate_hits = 9, untranslate_hits = 5913&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; Source - Origin: 192.168.23.0/24, Translated: 192.168.23.0/24&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; Destination - Origin: 63.236.240.138/32, Translated: 63.236.240.138/32&lt;BR /&gt;4 (inside) to (FIBER) source dynamic obj-192.168.23.0 interface&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; translate_hits = 2276390, untranslate_hits = 545045&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; Source - Origin: 192.168.23.0/24, Translated: 72.23.219.228/28&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;FWIW, the translate_hits increase with each new ICMP echo.&lt;/P&gt;</description>
      <pubDate>Wed, 04 Mar 2020 17:23:26 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040330#M1067329</guid>
      <dc:creator>bed082571</dc:creator>
      <dc:date>2020-03-04T17:23:26Z</dc:date>
    </item>
    <item>
      <title>Re: ASA5505 Config Assistance</title>
      <link>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040337#M1067331</link>
      <description>Yeah, you are right. Can you provide the output of "show crypto ipsec sa"&lt;BR /&gt;&lt;BR /&gt;Run this packet-tracer twice and provide the full output of the second.&lt;BR /&gt;"packet-tracer input inside icmp 192.168.23.24 8 0 63.236.240.138 detailed"</description>
      <pubDate>Wed, 04 Mar 2020 17:29:35 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040337#M1067331</guid>
      <dc:creator>Rob Ingram</dc:creator>
      <dc:date>2020-03-04T17:29:35Z</dc:date>
    </item>
    <item>
      <title>Re: ASA5505 Config Assistance</title>
      <link>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040344#M1067333</link>
      <description>&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;show crypto ipsec sa output:&lt;/P&gt;&lt;PRE&gt;interface: FIBER
    Crypto map tag: NDistricts2AMIS, seq num: 20, local addr: 72.23.219.228

      access-list VPN_TRAFFIC_ENCRYPTED extended permit ip 192.168.23.0 255.255.255.0 10.160.0.0 255.240.0.0 
      local ident (addr/mask/prot/port): (192.168.23.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.160.0.0/255.240.0.0/0/0)
      current_peer: 209.166.156.66


      #pkts encaps: 22019729, #pkts encrypt: 22019729, #pkts digest: 22019729
      #pkts decaps: 28933345, #pkts decrypt: 28933345, #pkts verify: 28933345
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 22019729, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 72.23.219.228/0, remote crypto endpt.: 209.166.156.66/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 4DDECC83
      current inbound spi : 9EB56910

    inbound esp sas:
      spi: 0x9EB56910 (2662689040)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 61440, crypto-map: NDistricts2AMIS
         sa timing: remaining key lifetime (kB/sec): (4366344/1479)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x4DDECC83 (1306446979)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 61440, crypto-map: NDistricts2AMIS
         sa timing: remaining key lifetime (kB/sec): (4368152/1479)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

    Crypto map tag: NDistricts2AMIS, seq num: 20, local addr: 72.23.219.228

      access-list VPN_TRAFFIC_ENCRYPTED extended permit icmp 192.168.23.0 255.255.255.0 host 63.236.240.138 
      local ident (addr/mask/prot): (192.168.23.0/255.255.255.0/1)
      remote ident (addr/mask/prot): (63.236.240.138/255.255.255.255/1)
      current_peer: 209.166.156.66


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 4719, #pkts decrypt: 4719, #pkts verify: 4719
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 72.23.219.228/0, remote crypto endpt.: 209.166.156.66/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 16CDB35F
      current inbound spi : 89470D1A

    inbound esp sas:
      spi: 0x89470D1A (2303135002)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 61440, crypto-map: NDistricts2AMIS
         sa timing: remaining key lifetime (kB/sec): (4373857/1823)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x16CDB35F (382579551)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 61440, crypto-map: NDistricts2AMIS
         sa timing: remaining key lifetime (kB/sec): (4374000/1823)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001&lt;/PRE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;output of second packet-tracer:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;PRE&gt;Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,FIBER) source static CLIENT_LAN CLIENT_LAN destination static MY_PREFIXES MY_PREFIXES no-proxy-arp
Additional Information:
NAT divert to egress interface FIBER
Untranslate 63.236.240.138/0 to 63.236.240.138/0

Phase: 2
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,FIBER) source static CLIENT_LAN CLIENT_LAN destination static MY_PREFIXES MY_PREFIXES no-proxy-arp
Additional Information:
Static translate 192.168.23.24/0 to 192.168.23.24/0
 Forward Flow based lookup yields rule:
 in  id=0xcc607d20, priority=6, domain=nat, deny=false
	hits=1, user_data=0xcc80feb0, cs_id=0x0, flags=0x0, protocol=0
	src ip/id=192.168.23.0, mask=255.255.255.0, port=0, tag=0
	dst ip/id=63.236.240.138, mask=255.255.255.255, port=0, tag=0, dscp=0x0
	input_ifc=inside, output_ifc=FIBER

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcb9f8778, priority=0, domain=nat-per-session, deny=true
	hits=1791170, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc06adf0, priority=0, domain=inspect-ip-options, deny=true
	hits=6868606, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=inside, output_ifc=any
              
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc4e6788, priority=70, domain=inspect-icmp, deny=false
	hits=72857, user_data=0xcc4e5cb8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
	src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
	input_ifc=inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc4edf30, priority=70, domain=inspect-icmp-error, deny=false
	hits=72857, user_data=0xcc4ed460, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
	src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
	input_ifc=inside, output_ifc=any

Phase: 7
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcbc92ee8, priority=0, domain=host-limit, deny=false
	hits=3434166, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=inside, output_ifc=any

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:       
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xcc078ec0, priority=70, domain=encrypt, deny=false
	hits=3, user_data=0xbdb1c, cs_id=0xc84f4bd0, reverse, flags=0x0, protocol=1
	src ip/id=192.168.23.0, mask=255.255.255.0, icmp-type=0, tag=0
	dst ip/id=63.236.240.138, mask=255.255.255.255, icmp-code=0, tag=0, dscp=0x0
	input_ifc=any, output_ifc=FIBER

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,FIBER) source static CLIENT_LAN CLIENT_LAN destination static MY_PREFIXES MY_PREFIXES no-proxy-arp
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xcc3f4c10, priority=6, domain=nat-reverse, deny=false
	hits=2, user_data=0xcc8ea478, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
	src ip/id=192.168.23.0, mask=255.255.255.0, port=0, tag=0
	dst ip/id=63.236.240.138, mask=255.255.255.255, port=0, tag=0, dscp=0x0
	input_ifc=inside, output_ifc=FIBER

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xcc6b1de0, priority=70, domain=ipsec-tunnel-flow, deny=false
	hits=3, user_data=0xc5a1c, cs_id=0xc84f4bd0, reverse, flags=0x0, protocol=1
	src ip/id=63.236.240.138, mask=255.255.255.255, icmp-type=0, tag=0
	dst ip/id=192.168.23.0, mask=255.255.255.0, icmp-code=0, tag=0, dscp=0x0
	input_ifc=FIBER, output_ifc=any

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xcb9f8778, priority=0, domain=nat-per-session, deny=true
	hits=1791172, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xcc0c1570, priority=0, domain=inspect-ip-options, deny=true
	hits=6996850, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
	input_ifc=FIBER, output_ifc=any

Phase: 13
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 6993445, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: FIBER
output-status: up
output-line-status: up
Action: allow&lt;/PRE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 04 Mar 2020 17:44:35 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040344#M1067333</guid>
      <dc:creator>bed082571</dc:creator>
      <dc:date>2020-03-04T17:44:35Z</dc:date>
    </item>
    <item>
      <title>Re: ASA5505 Config Assistance</title>
      <link>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040351#M1067336</link>
      <description>&lt;P&gt;Apply this&lt;BR /&gt;&lt;BR /&gt;"no access-list VPN_TRAFFIC_ENCRYPTED extended permit icmp 192.168.23.0 255.255.255.0 host 63.236.240.138"&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;What is the output of "show run all sysopt" - this would not be in your earlier output.&lt;/P&gt;</description>
      <pubDate>Wed, 04 Mar 2020 18:05:09 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040351#M1067336</guid>
      <dc:creator>Rob Ingram</dc:creator>
      <dc:date>2020-03-04T18:05:09Z</dc:date>
    </item>
    <item>
      <title>Re: ASA5505 Config Assistance</title>
      <link>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040379#M1067341</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp; &amp;nbsp; How does your ASA route for&amp;nbsp;&lt;SPAN&gt;63.236.240.138 ?&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Regards,&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Cristian Matei.&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 04 Mar 2020 18:47:15 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040379#M1067341</guid>
      <dc:creator>Cristian Matei</dc:creator>
      <dc:date>2020-03-04T18:47:15Z</dc:date>
    </item>
    <item>
      <title>Re: ASA5505 Config Assistance</title>
      <link>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040387#M1067343</link>
      <description>&lt;P&gt;The VPN_TRAFFIC_ENCRYPTED ACL is used by the NDistricts2AMIS crypto map.&amp;nbsp; Wont applying this remove the interesting traffic?&lt;/P&gt;&lt;PRE&gt;no access-list VPN_TRAFFIC_ENCRYPTED extended permit icmp 192.168.23.0 255.255.255.0 host 63.236.240.138&lt;/PRE&gt;&lt;P&gt;I applied it anyway, cleared out the ipsec sa and no joy but no ipsec sa afterwards either.&amp;nbsp; I've put this ACE back.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;show run all sysopt output:&lt;/P&gt;&lt;PRE&gt;no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp FIBER&lt;/PRE&gt;</description>
      <pubDate>Wed, 04 Mar 2020 19:05:03 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040387#M1067343</guid>
      <dc:creator>bed082571</dc:creator>
      <dc:date>2020-03-04T19:05:03Z</dc:date>
    </item>
    <item>
      <title>Re: ASA5505 Config Assistance</title>
      <link>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040394#M1067344</link>
      <description>&lt;P&gt;This host only has a default route.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;PRE&gt;route FIBER 0.0.0.0 0.0.0.0 72.23.219.225 1&lt;/PRE&gt;&lt;P&gt;I'm expecting the crypto map to encrypt traffic as it egresses the FIBER interface but this isn't happening based on the encap counter from the ipsec sa output.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;PRE&gt;crypto map NDistricts2AMIS interface FIBER

rypto map NDistricts2AMIS 20 match address VPN_TRAFFIC_ENCRYPTED
crypto map NDistricts2AMIS 20 set pfs 
crypto map NDistricts2AMIS 20 set peer 209.166.156.66 
crypto map NDistricts2AMIS 20 set ikev1 transform-set MySecurityWithAES

access-list VPN_TRAFFIC_ENCRYPTED extended permit ip 192.168.23.0 255.255.255.0 10.160.0.0 255.240.0.0 
access-list VPN_TRAFFIC_ENCRYPTED extended permit ip host 192.168.23.1 host 216.189.226.41 
&lt;STRONG&gt;access-list VPN_TRAFFIC_ENCRYPTED extended permit icmp 192.168.23.0 255.255.255.0 host 63.236.240.138&lt;/STRONG&gt; 
access-list VPN_TRAFFIC_ENCRYPTED extended permit ip 192.168.23.0 255.255.255.0 host 63.236.240.138 &lt;/PRE&gt;&lt;P&gt;But the ACL hit counter is increasing.&lt;/P&gt;&lt;PRE&gt;access-list VPN_TRAFFIC_ENCRYPTED line 3 extended permit ip 192.168.23.0 255.255.255.0 host 63.236.240.138 (hitcnt=&lt;/PRE&gt;&lt;P&gt;So I'm pretty comfortable with believing the traffic is making it to the ASA and an echo-reply was generated and hits the VPN_TRAFFIC_ENCRYPTED ACL but based on the encap counters it isn't getting encrypted even though it's hitting the ACL.&lt;/P&gt;</description>
      <pubDate>Wed, 04 Mar 2020 19:19:48 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040394#M1067344</guid>
      <dc:creator>bed082571</dc:creator>
      <dc:date>2020-03-04T19:19:48Z</dc:date>
    </item>
    <item>
      <title>Re: ASA5505 Config Assistance</title>
      <link>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040396#M1067345</link>
      <description>In your configuration you had 2 ACE, you don't need the first if you are permitting IP in the second.&lt;BR /&gt;&lt;BR /&gt;access-list VPN_TRAFFIC_ENCRYPTED extended permit icmp 192.168.23.0 255.255.255.0 host 63.236.240.138&lt;BR /&gt;access-list VPN_TRAFFIC_ENCRYPTED extended permit ip 192.168.23.0 255.255.255.0 host 63.236.240.138&lt;BR /&gt;&lt;BR /&gt;Other than packet-tracer how are you generating traffic?</description>
      <pubDate>Wed, 04 Mar 2020 19:22:07 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040396#M1067345</guid>
      <dc:creator>Rob Ingram</dc:creator>
      <dc:date>2020-03-04T19:22:07Z</dc:date>
    </item>
    <item>
      <title>Re: ASA5505 Config Assistance</title>
      <link>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040407#M1067346</link>
      <description>&lt;P&gt;I removed that ACE and re-tested and I verified phase 2 did complete without it.&amp;nbsp; I don't know what I did last time but you're right, it isn't needed so I'm leaving it out.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I'm testing by generating icmp-echo's from 63.236.240.138.&lt;/P&gt;</description>
      <pubDate>Wed, 04 Mar 2020 19:35:29 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4040407#M1067346</guid>
      <dc:creator>bed082571</dc:creator>
      <dc:date>2020-03-04T19:35:29Z</dc:date>
    </item>
    <item>
      <title>Re: ASA5505 Config Assistance</title>
      <link>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4041247#M1067422</link>
      <description>&lt;P&gt;Any additional thoughts?&lt;/P&gt;</description>
      <pubDate>Thu, 05 Mar 2020 20:40:36 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4041247#M1067422</guid>
      <dc:creator>bed082571</dc:creator>
      <dc:date>2020-03-05T20:40:36Z</dc:date>
    </item>
    <item>
      <title>Re: ASA5505 Config Assistance</title>
      <link>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4046103#M1067793</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp; &amp;nbsp;Post your entire ASA configuration and specify what IP traffic (which source/destination) you want to work and it's not working.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Regards,&lt;/P&gt;&lt;P&gt;Cristian Matei.&lt;/P&gt;</description>
      <pubDate>Sun, 15 Mar 2020 14:36:56 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4046103#M1067793</guid>
      <dc:creator>Cristian Matei</dc:creator>
      <dc:date>2020-03-15T14:36:56Z</dc:date>
    </item>
    <item>
      <title>Re: ASA5505 Config Assistance</title>
      <link>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4046608#M1067815</link>
      <description>&lt;P&gt;Thank you for responding Christian.&amp;nbsp; Attached should be the config file.&amp;nbsp; I'm trying to accomplish two things:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;Source icmp-echo from 63.236.240.138 to 192.168.23.254.&lt;/LI&gt;&lt;LI&gt;Source ssh from 63.236.240.138 to 192.168.23.254.&lt;/LI&gt;&lt;/OL&gt;&lt;P&gt;I'm hoping accomplishing step 2 will be fairly obvious once I can understand why step 1 is failing.&lt;/P&gt;</description>
      <pubDate>Mon, 16 Mar 2020 14:09:06 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4046608#M1067815</guid>
      <dc:creator>bed082571</dc:creator>
      <dc:date>2020-03-16T14:09:06Z</dc:date>
    </item>
    <item>
      <title>Re: ASA5505 Config Assistance</title>
      <link>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4048891#M1067957</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp; &amp;nbsp; You're trying to manage the ASA through a VPN tunnel, and not on the interface the VPN tunnel is terminated on, but on another one, the inside one; for this to work, you need to configure "management-access inside". Additionally, ensure the ACL used to define the encryption domain is in perfect sync between the ASA and Router, i've cleaned up the config:&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;ASA:&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;access-list VPN_TRAFFIC_ENCRYPTED extended permit ip 192.168.23.0 255.255.255.0 10.160.0.0 255.240.0.0&lt;BR /&gt;access-list VPN_TRAFFIC_ENCRYPTED extended permit ip host 192.168.23.1 host 216.189.226.41&lt;BR /&gt;no access-list VPN_TRAFFIC_ENCRYPTED extended permit icmp 192.168.23.0 255.255.255.0 host 63.236.240.138&lt;BR /&gt;access-list VPN_TRAFFIC_ENCRYPTED extended permit ip 192.168.23.0 255.255.255.0 host 63.236.240.138&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;ROUTER:&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;access-list XXX &amp;nbsp;permit ip 10.160.0.0 255.240.0.0 &amp;nbsp;192.168.23.0 255.255.255.0&amp;nbsp;&lt;BR /&gt;access-list XXX &amp;nbsp;permit ip host 216.189.226.41 host 192.168.23.1 &amp;nbsp;&lt;BR /&gt;access-list XXX &amp;nbsp;permit ip host 63.236.240.138 192.168.23.0 255.255.255.0&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Regards,&lt;/P&gt;&lt;P&gt;Cristian Matei.&lt;/P&gt;</description>
      <pubDate>Thu, 19 Mar 2020 19:46:06 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/asa5505-config-assistance/m-p/4048891#M1067957</guid>
      <dc:creator>Cristian Matei</dc:creator>
      <dc:date>2020-03-19T19:46:06Z</dc:date>
    </item>
  </channel>
</rss>

