Drop-reason: (acl-drop) Flow is denied by configured rule

BAEK_1027 — Wed, 06 May 2020 00:45:17 GMT

Hi, I faced following NAT issue, Can anybody help me please. T_T

Diagram

UE(20.20.20.246~250/24) ---(remote access)--- (outside) VPN (AWS Interface: 20.20.20.1) --- Server(20.20.20.50)

1) UE <- Server ping test (20.20.20.50 -> 20.20.20.247): success

2) UE -> Server ping test (20.20.20.50 <- 20.20.20.247): failure // I think it is because of NAT

Result of the command: "capture CAP_TEMP_AWS buffer 2048 interface AWS match icmp host 20.20.20.247 any"
The command has been sent to the device

Result of the command: "capture LOG_DROP type asp-drop all match ip host 20.20.20.50 host 20.20.20.247"
The command has been sent to the device

Result of the command: "capture LOG_DROP type asp-drop all match ip host 20.20.20.247 host 20.20.20.50"
The command has been sent to the device

1) After ping from server(20.20.20.50) to UE(20.20.247)
Result of the command: "show capture CAP_TEMP_AWS"
6 packets captured
1: 10:38:22.143135 20.20.20.50 > 20.20.20.247: icmp: echo request
2: 10:38:22.181615 20.20.20.247 > 20.20.20.50: icmp: echo reply
3: 10:38:23.144691 20.20.20.50 > 20.20.20.247: icmp: echo request
4: 10:38:23.181585 20.20.20.247 > 20.20.20.50: icmp: echo reply
5: 10:38:24.145622 20.20.20.50 > 20.20.20.247: icmp: echo request
6: 10:38:24.181585 20.20.20.247 > 20.20.20.50: icmp: echo reply
6 packets shown

2) After ping from UE(20.20.20.247) to server(20.20.20.50)
Result of the command: "show capture CAP_TEMP_AWS" // There is no additional packet
6 packets captured
1: 10:38:22.143135 20.20.20.50 > 20.20.20.247: icmp: echo request
2: 10:38:22.181615 20.20.20.247 > 20.20.20.50: icmp: echo reply
3: 10:38:23.144691 20.20.20.50 > 20.20.20.247: icmp: echo request
4: 10:38:23.181585 20.20.20.247 > 20.20.20.50: icmp: echo reply
5: 10:38:24.145622 20.20.20.50 > 20.20.20.247: icmp: echo request
6: 10:38:24.181585 20.20.20.247 > 20.20.20.50: icmp: echo reply
6 packets shown

Result of the command: "show capture LOG_DROP"
3026 packets captured
1809: 10:38:28.076305 20.20.20.247 > 20.20.20.50: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
2133: 10:38:32.104212 20.20.20.247 > 20.20.20.50: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
2384: 10:38:36.131005 20.20.20.247 > 20.20.20.50: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule

Result of the command: "packet-tracer input outside icmp 20.20.20.247 1 1 20.20.20.50 detail"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2eac649a20, priority=1, domain=permit, deny=false
hits=7293661, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 20.20.20.50 using egress ifc AWS

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in_1 in interface outside
access-list outside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any any
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2eb4bd23a0, priority=13, domain=permit, deny=false
hits=12, user_data=0x7f2eb2f26b80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2ec0f43360, priority=0, domain=nat-per-session, deny=true
hits=404008, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2eac651cd0, priority=0, domain=inspect-ip-options, deny=true
hits=1312770, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 6
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2eb4bd5050, priority=79, domain=punt, deny=true
hits=160, user_data=0x7f2ec00ab520, cs_id=0x0, flags=0x0, protocol=0
src ip/id=20.20.20.247, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2eac83ad70, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=1004, user_data=0x0, cs_id=0x7f2eac835010, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=20.20.20.50, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: AWS
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Result of the command: "show nat"

Manual NAT Policies (Section 1)
1 (any) to (outside) source dynamic any interface description SBC -> UE (20.20.20.X/24)
translate_hits = 294999, untranslate_hits = 24
2 (jiotrial) to (outside) source dynamic DM_INLINE_NETWORK_20 interface
translate_hits = 10614, untranslate_hits = 6
3 (AT_S8) to (AT_S8) source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
4 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.246_31 NETWORK_OBJ_20.20.20.246_31 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
5 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.248_29 NETWORK_OBJ_20.20.20.248_29 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
6 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.240_28 NETWORK_OBJ_20.20.20.240_28 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
7 (outside) to (AWS) source static any any unidirectional no-proxy-arp
translate_hits = 11, untranslate_hits = 0

Manual NAT Policies (Section 3)
1 (AWS) to (outside) source static 192.168.2.0 192.168.2.0 destination static NETWORK_OBJ_192.168.2.40_29 NETWORK_OBJ_192.168.2.40_29 no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
2 (any) to (outside) source dynamic DM_INLINE_NETWORK_3 interface
translate_hits = 0, untranslate_hits = 0
3 (inside) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.0_25 NETWORK_OBJ_20.20.20.0_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
4 (jiotrial) to (outside) source static 165.213.198.0 165.213.198.0 destination static NETWORK_OBJ_165.213.0.0_24 NETWORK_OBJ_165.213.0.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
5 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.0_26 NETWORK_OBJ_20.20.20.0_26 no-proxy-arp route-lookup
translate_hits = 4, untranslate_hits = 0
6 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.224_29 NETWORK_OBJ_172.20.62.224_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
7 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.232_29 NETWORK_OBJ_172.20.62.232_29 no-proxy-arp route-lookup
translate_hits = 14, untranslate_hits = 84
8 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.160_27 NETWORK_OBJ_20.20.20.160_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
9 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.128_25 NETWORK_OBJ_20.20.20.128_25 no-proxy-arp route-lookup
translate_hits = 671, untranslate_hits = 0
10 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.4_30 NETWORK_OBJ_172.20.38.4_30 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
11 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.21.0_25 NETWORK_OBJ_20.20.21.0_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
12 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.32_28 NETWORK_OBJ_172.20.38.32_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
13 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.48_28 NETWORK_OBJ_172.20.38.48_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
14 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.220_30 NETWORK_OBJ_20.20.20.220_30 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
15 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.64_29 NETWORK_OBJ_172.20.38.64_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
16 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.230_31 NETWORK_OBJ_20.20.20.230_31 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
17 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.22.0_29 NETWORK_OBJ_20.20.22.0_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
18 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.22.0_28 NETWORK_OBJ_20.20.22.0_28 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
19 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.80_28 NETWORK_OBJ_172.20.38.80_28 no-proxy-arp route-lookup
translate_hits = 162, untranslate_hits = 102
20 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_20.20.20.224_27 NETWORK_OBJ_20.20.20.224_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
21 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.38.96_27 NETWORK_OBJ_172.20.38.96_27 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
22 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_172.20.62.240_29 NETWORK_OBJ_172.20.62.240_29 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
23 (AT_S8) to (outside) source static any any destination static NETWORK_OBJ_165.213.107.0_24 NETWORK_OBJ_165.213.107.0_24 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0

Result of the command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_cryptomap; 21 elements; name hash: 0x39bea18f
access-list outside_cryptomap line 1 extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_5 (hitcnt=0) 0xa638eabd
access-list outside_cryptomap line 1 extended permit ip host 165.213.107.43 10.0.0.0 255.255.0.0 (hitcnt=0) 0xd21ec08b
access-list outside_cryptomap line 1 extended permit ip host 165.213.107.43 192.168.0.0 255.255.0.0 (hitcnt=0) 0xcb2ef34d
access-list outside_cryptomap line 1 extended permit ip host 165.213.107.43 host 128.0.21.103 (hitcnt=0) 0x4323149d
access-list outside_cryptomap line 1 extended permit ip host 165.213.107.43 host 20.20.20.50 (hitcnt=0) 0xbe53ad75
access-list outside_cryptomap line 1 extended permit ip host 210.94.41.89 10.0.0.0 255.255.0.0 (hitcnt=0) 0x036ab0b4
access-list outside_cryptomap line 1 extended permit ip host 210.94.41.89 192.168.0.0 255.255.0.0 (hitcnt=0) 0x44e8d8ab
access-list outside_cryptomap line 1 extended permit ip host 210.94.41.89 host 128.0.21.103 (hitcnt=0) 0xc0e8760f
access-list outside_cryptomap line 1 extended permit ip host 210.94.41.89 host 20.20.20.50 (hitcnt=0) 0x91cec8ed
access-list outside_cryptomap line 1 extended permit ip 10.100.1.0 255.255.255.0 10.0.0.0 255.255.0.0 (hitcnt=0) 0x21c77ccb
access-list outside_cryptomap line 1 extended permit ip 10.100.1.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0xaaf64606
access-list outside_cryptomap line 1 extended permit ip 10.100.1.0 255.255.255.0 host 128.0.21.103 (hitcnt=0) 0x3bddfff2
access-list outside_cryptomap line 1 extended permit ip 10.100.1.0 255.255.255.0 host 20.20.20.50 (hitcnt=0) 0x547f896b
access-list outside_cryptomap line 1 extended permit ip host 172.20.62.251 10.0.0.0 255.255.0.0 (hitcnt=0) 0x619aa1a2
access-list outside_cryptomap line 1 extended permit ip host 172.20.62.251 192.168.0.0 255.255.0.0 (hitcnt=0) 0x9fbf13f2
access-list outside_cryptomap line 1 extended permit ip host 172.20.62.251 host 128.0.21.103 (hitcnt=0) 0x9d1b4948
access-list outside_cryptomap line 1 extended permit ip host 172.20.62.251 host 20.20.20.50 (hitcnt=0) 0xf42d2187
access-list outside_cryptomap line 1 extended permit ip 30.30.30.0 255.255.255.0 10.0.0.0 255.255.0.0 (hitcnt=0) 0xc1503fa7
access-list outside_cryptomap line 1 extended permit ip 30.30.30.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0x43949877
access-list outside_cryptomap line 1 extended permit ip 30.30.30.0 255.255.255.0 host 128.0.21.103 (hitcnt=0) 0xc0202747
access-list outside_cryptomap line 1 extended permit ip 30.30.30.0 255.255.255.0 host 20.20.20.50 (hitcnt=0) 0x55270ac8
access-list outside_cryptomap line 2 extended permit ip object 192.168.0.0 object 10.0.0.0 (hitcnt=0) 0x455f8358
access-list outside_cryptomap line 2 extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.255.0.0 (hitcnt=0) 0x455f8358
access-list outside_cryptomap_4; 2 elements; name hash: 0x2ebb504c
access-list outside_cryptomap_4 line 1 extended permit ip object-group DM_INLINE_NETWORK_8 object 169.254.53.68 (hitcnt=0) 0x62cf5005
access-list outside_cryptomap_4 line 1 extended permit ip 167.1.1.0 255.255.255.0 169.254.53.68 255.255.255.252 (hitcnt=0) 0xb6a060e5
access-list outside_cryptomap_4 line 1 extended permit ip 20.1.0.0 255.255.0.0 169.254.53.68 255.255.255.252 (hitcnt=0) 0x10c018ed
access-list outside_cryptomap_2; 2 elements; name hash: 0x4e1c27f3
access-list outside_cryptomap_2 line 1 extended permit ip object-group DM_INLINE_NETWORK_7 object 169.254.53.68 (hitcnt=0) 0x46696a37
access-list outside_cryptomap_2 line 1 extended permit ip 167.1.1.0 255.255.255.0 169.254.53.68 255.255.255.252 (hitcnt=0) 0x6f973e24
access-list outside_cryptomap_2 line 1 extended permit ip 20.1.0.0 255.255.0.0 169.254.53.68 255.255.255.252 (hitcnt=0) 0xa784bed1
access-list outside_cryptomap_1; 2 elements; name hash: 0x759febfa
access-list outside_cryptomap_1 line 1 extended permit ip object-group DM_INLINE_NETWORK_7 object 169.254.53.68 (hitcnt=0) 0xd5c483e1
access-list outside_cryptomap_1 line 1 extended permit ip 167.1.1.0 255.255.255.0 169.254.53.68 255.255.255.252 (hitcnt=0) 0x43826643
access-list outside_cryptomap_1 line 1 extended permit ip 20.1.0.0 255.255.0.0 169.254.53.68 255.255.255.252 (hitcnt=0) 0x48fbd8a7
access-list outside_cryptomap_3; 1 elements; name hash: 0x4c48cff2
access-list outside_cryptomap_3 line 1 extended permit ip host 20.20.20.50 host 10.0.162.18 inactive (hitcnt=0) (inactive) 0xbd2eae97
access-list outside_cryptomap_6; 3 elements; name hash: 0xb54ddd69
access-list outside_cryptomap_6 line 1 extended permit ip object-group DM_INLINE_NETWORK_10 object 172.31.0.0 (hitcnt=0) 0x04b27d57
access-list outside_cryptomap_6 line 1 extended permit ip 167.1.1.0 255.255.255.0 172.31.0.0 255.255.0.0 (hitcnt=0) 0x425830c4
access-list outside_cryptomap_6 line 1 extended permit ip 20.1.0.0 255.255.0.0 172.31.0.0 255.255.0.0 (hitcnt=0) 0x9cb06717
access-list outside_cryptomap_6 line 1 extended permit ip 69.0.0.0 255.240.0.0 172.31.0.0 255.255.0.0 (hitcnt=0) 0x837066b0
access-list outside_cryptomap_5; 1 elements; name hash: 0x62334365
access-list outside_cryptomap_5 line 1 extended permit ip object 192.168.101.0 object 192.168.100.0 (hitcnt=0) 0xb0c6af26
access-list outside_cryptomap_5 line 1 extended permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=0) 0xb0c6af26
access-list outside_cryptomap_8; 1 elements; name hash: 0x1a88a6c3
access-list outside_cryptomap_8 line 1 extended permit ip object 192.168.101.0 object 192.168.100.0 (hitcnt=0) 0xeef289c0
access-list outside_cryptomap_8 line 1 extended permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=0) 0xeef289c0
access-list sbctest; 1 elements; name hash: 0x6cbc539b
access-list sbctest line 1 remark 20.20.20.0/24
access-list sbctest line 2 standard permit 20.20.20.0 255.255.255.0 (hitcnt=0) 0x9cabe75a
access-list AnyConnect_Client_Local_Print; 5 elements; name hash: 0xe76ce9d1
access-list AnyConnect_Client_Local_Print line 1 remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print line 2 extended permit tcp any4 any4 eq 631 (hitcnt=0) 0x0a055e45
access-list AnyConnect_Client_Local_Print line 3 remark Windows' printing port
access-list AnyConnect_Client_Local_Print line 4 extended permit tcp any4 any4 eq 9100 (hitcnt=0) 0x077d9659
access-list AnyConnect_Client_Local_Print line 5 remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print line 6 extended permit udp any4 host 224.0.0.251 eq 5353 (hitcnt=0) 0xaad2a11b
access-list AnyConnect_Client_Local_Print line 7 remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print line 8 extended permit udp any4 host 224.0.0.252 eq 5355 (hitcnt=0) 0xbf7a7137
access-list AnyConnect_Client_Local_Print line 9 remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print line 10 extended permit tcp any4 any4 eq 137 (hitcnt=0) 0xe657df61
access-list newsbctest1_splitTunnelAcl; 1 elements; name hash: 0xebab07c5
access-list newsbctest1_splitTunnelAcl line 1 standard permit 20.20.20.0 255.255.255.0 (hitcnt=0) 0x01c5679e
access-list vpntest; 1 elements; name hash: 0xfc34039
access-list vpntest line 1 standard permit 40.40.40.0 255.255.255.0 (hitcnt=0) 0x6ba46664
access-list outside_cryptomap_7; 1 elements; name hash: 0x28ab7e0f
access-list outside_cryptomap_7 line 1 extended permit ip host 20.20.20.50 host 10.0.3.106 inactive (hitcnt=0) (inactive) 0x5326a461
access-list outside_cryptomap_9; 6 elements; name hash: 0x3f5cf124
access-list outside_cryptomap_9 line 1 extended permit ip object-group DM_INLINE_NETWORK_19 object-group DM_INLINE_NETWORK_21 (hitcnt=0) 0xf0c373fb
access-list outside_cryptomap_9 line 1 extended permit ip 10.9.100.0 255.255.255.0 host 128.0.21.103 (hitcnt=0) 0x28c6f8e6
access-list outside_cryptomap_9 line 1 extended permit ip 10.9.100.0 255.255.255.0 30.30.30.0 255.255.255.0 (hitcnt=0) 0x0e1442a3
access-list outside_cryptomap_9 line 1 extended permit ip host 172.20.62.251 host 128.0.21.103 (hitcnt=0) 0x94cffa4e
access-list outside_cryptomap_9 line 1 extended permit ip host 172.20.62.251 30.30.30.0 255.255.255.0 (hitcnt=0) 0x89e29c32
access-list outside_cryptomap_9 line 1 extended permit ip host 20.20.20.50 host 128.0.21.103 (hitcnt=0) 0xa83a934b
access-list outside_cryptomap_9 line 1 extended permit ip host 20.20.20.50 30.30.30.0 255.255.255.0 (hitcnt=0) 0xf29bf108
access-list 20.20.21.0; 1 elements; name hash: 0x313d822b
access-list 20.20.21.0 line 1 standard permit 20.20.21.0 255.255.255.0 (hitcnt=0) 0xd5503239
access-list outside_cryptomap_10; 8 elements; name hash: 0x6894a404
access-list outside_cryptomap_10 line 1 extended permit ip object-group DM_INLINE_NETWORK_12 object-group DM_INLINE_NETWORK_23 (hitcnt=8) 0x4b9eaed6
access-list outside_cryptomap_10 line 1 extended permit ip 172.20.22.0 255.255.255.0 143.143.1.0 255.255.255.0 (hitcnt=0) 0x6302e4fd
access-list outside_cryptomap_10 line 1 extended permit ip 172.20.22.0 255.255.255.0 10.254.201.0 255.255.255.240 (hitcnt=0) 0xe896d654
access-list outside_cryptomap_10 line 1 extended permit ip 172.20.42.0 255.255.255.0 143.143.1.0 255.255.255.0 (hitcnt=0) 0x5a6a6438
access-list outside_cryptomap_10 line 1 extended permit ip 172.20.42.0 255.255.255.0 10.254.201.0 255.255.255.240 (hitcnt=0) 0x23c6f878
access-list outside_cryptomap_10 line 1 extended permit ip 172.21.21.0 255.255.255.0 143.143.1.0 255.255.255.0 (hitcnt=0) 0x740eb88f
access-list outside_cryptomap_10 line 1 extended permit ip 172.21.21.0 255.255.255.0 10.254.201.0 255.255.255.240 (hitcnt=0) 0xdd1bdad1
access-list outside_cryptomap_10 line 1 extended permit ip host 172.22.20.249 143.143.1.0 255.255.255.0 (hitcnt=0) 0xaa94594b
access-list outside_cryptomap_10 line 1 extended permit ip host 172.22.20.249 10.254.201.0 255.255.255.240 (hitcnt=19) 0xeba2718e
access-list outside_cryptomap_11; 1 elements; name hash: 0xcf96c0a0
access-list outside_cryptomap_11 line 1 extended permit ip 172.20.0.0 255.254.0.0 172.56.0.0 255.255.0.0 (hitcnt=0) 0x6c7ad46e
access-list outside_cryptomap_14; 2 elements; name hash: 0x78ba6ba7
access-list outside_cryptomap_14 line 1 extended permit ip 172.20.0.0 255.254.0.0 object-group DM_INLINE_NETWORK_15 (hitcnt=0) 0x424a9dc3
access-list outside_cryptomap_14 line 1 extended permit ip 172.20.0.0 255.254.0.0 172.18.248.0 255.255.248.0 (hitcnt=0) 0xb8b2cb56
access-list outside_cryptomap_14 line 1 extended permit ip 172.20.0.0 255.254.0.0 172.16.240.0 255.255.248.0 (hitcnt=0) 0x11444beb
access-list outside_cryptomap_13; 1 elements; name hash: 0x51ff34f0
access-list outside_cryptomap_13 line 1 extended permit ip 172.20.0.0 255.254.0.0 object Azure (hitcnt=0) 0x097144b0
access-list outside_cryptomap_13 line 1 extended permit ip 172.20.0.0 255.254.0.0 172.66.0.0 255.255.0.0 (hitcnt=0) 0x097144b0
access-list K8s; 1 elements; name hash: 0xa377940
access-list K8s line 1 standard permit 172.0.0.0 255.0.0.0 (hitcnt=0) 0x9eec7da5
access-list outside_cryptomap_12; 2 elements; name hash: 0x47912f51
access-list outside_cryptomap_12 line 1 extended permit ip 172.20.0.0 255.254.0.0 object-group DM_INLINE_NETWORK_14 (hitcnt=0) 0x3719d3bc
access-list outside_cryptomap_12 line 1 extended permit ip 172.20.0.0 255.254.0.0 172.18.248.0 255.255.248.0 (hitcnt=0) 0x70e5fb87
access-list outside_cryptomap_12 line 1 extended permit ip 172.20.0.0 255.254.0.0 172.16.240.0 255.255.248.0 (hitcnt=0) 0x7547e5ad
access-list dish; 1 elements; name hash: 0x1592f1fc
access-list dish line 1 standard permit 33.33.33.0 255.255.255.248 (hitcnt=0) 0x8dc38a4a
access-list outside_cryptomap_15; 2 elements; name hash: 0xb4221495
access-list outside_cryptomap_15 line 1 extended permit ip host 20.20.20.50 object ntels_remote_for_DC4 inactive (hitcnt=90) (inactive) 0x8d14b8af
access-list outside_cryptomap_15 line 1 extended permit ip host 20.20.20.50 192.168.5.0 255.255.255.0 inactive (hitcnt=90) (inactive) 0x8d14b8af
access-list outside_cryptomap_15 line 2 extended permit ip host 20.20.20.50 any (hitcnt=1794) 0x4f71c689
access-list AWS_access_in; 1 elements; name hash: 0xa6773d23
access-list AWS_access_in line 1 extended permit ip any any (hitcnt=1495) 0xcb3ff2f4
access-list for6f_DNS; 2 elements; name hash: 0x60dc62ab
access-list for6f_DNS line 1 remark 6F DNS-200409_by_baek
access-list for6f_DNS line 2 standard permit host 172.20.53.102 (hitcnt=0) 0xa95254b9
access-list for6f_DNS line 3 remark for 6F IPv4 ___200409___by baek
access-list for6f_DNS line 4 standard permit 172.20.62.0 255.255.255.0 (hitcnt=0) 0x218ef309
access-list outside_cryptomap_18; 1 elements; name hash: 0x7ee77a76
access-list outside_cryptomap_18 line 1 extended permit ip host 20.20.20.50 host 10.10.0.214 inactive (hitcnt=0) (inactive) 0x8c22d9ed
access-list outside_cryptomap_17; 2 elements; name hash: 0x148be230
access-list outside_cryptomap_17 line 1 extended permit ip host 172.22.33.138 object-group DM_INLINE_NETWORK_22 (hitcnt=36) 0x07ed451f
access-list outside_cryptomap_17 line 1 extended permit ip host 172.22.33.138 172.19.101.0 255.255.255.0 (hitcnt=36) 0xd8b78b96
access-list outside_cryptomap_17 line 1 extended permit ip host 172.22.33.138 172.19.102.0 255.255.255.0 (hitcnt=0) 0xd89afac7
access-list AWS_access_out; 1 elements; name hash: 0x4f417780
access-list AWS_access_out line 1 extended permit ip any any (hitcnt=0) 0x687bfb44
access-list AWS_access_out_1; 1 elements; name hash: 0x64b867f
access-list AWS_access_out_1 line 1 extended permit ip any any (hitcnt=22026) 0xee2057b8
access-list outside_access_in_1; 2 elements; name hash: 0x202ecf4e
access-list outside_access_in_1 line 1 extended permit object-group DM_INLINE_PROTOCOL_1 any any (hitcnt=13) 0xe9116bce
access-list outside_access_in_1 line 1 extended permit ip any any (hitcnt=13) 0xee5759b0
access-list outside_access_in_1 line 1 extended permit icmp any any (hitcnt=0) 0xafc18e84
access-list outside_access_out_1; 1 elements; name hash: 0x1e937888
access-list outside_access_out_1 line 1 extended permit ip any any (hitcnt=43518) 0x1ae2e01f

[root@N ~]# arp // arp table in SERVER
Address HWtype HWaddress Flags Mask Iface
20.20.20.247 ether 00:78:88:05:51:5b C mrx0
10.251.212.1 ether 00:00:5e:00:01:04 C eth9
20.20.20.1 ether 00:78:88:05:51:5b C mrx0
128.0.21.101 ether 00:c1:64:84:b8:7d C mrx2
[root@N ~]#

topic Drop-reason: (acl-drop) Flow is denied by configured rule in Network Security

Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Drop-reason: (acl-drop) Flow is denied by configured rule