https://community.cisco.com/t5/network-security/problem-with-traffic-through-ipsec-site-to-site-tunnel/m-p/4171966#M1075056 <P>Traffic was flowing through this tunnel but recently stopped. When doing a packet-trace on the outside interface using a valid IP from our customer, the following results, and I can't figure out why Phase: 6 denies the flow. Any thoughts? This tunnel is up, and I see bidirectional traffic on phase 2. Thank you.</P><P>&nbsp;</P><P>packet-tracer input outside tcp ##.138.220.70 2000 #.223.248.13 21 det</P><P>&nbsp;</P><P>Phase: 1<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />nat (inside,outside) source static obj-172.16.11.10 obj-#.223.248.13 destination static CUSTOMER-VPN CUSTOMER-VPN<BR />Additional Information:<BR />NAT divert to egress interface inside<BR />Untranslate #.223.248.13/21 to 172.16.11.10/21</P><P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group OUTSIDE in interface outside<BR />access-list OUTSIDE extended permit ip object-group CUSTOMER-VPN host 172.16.11.10<BR />access-list OUTSIDE remark Permit restricted ICMP traffic<BR />object-group network CUSTOMER-VPN<BR />network-object 192.168.2.0 255.255.255.0<BR />...<BR />network-object host 192.168.107.24<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x78394aa8, priority=13, domain=permit, deny=false<BR />hits=3, user_data=0x70f79d00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0<BR />src ip/id=##.138.220.70, mask=255.255.255.255, port=0, tag=0<BR />dst ip/id=172.16.11.10, mask=255.255.255.255, port=0, tag=0, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Phase: 3<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />nat (inside,outside) source static obj-172.16.11.10 obj-#.223.248.13 destination static CUSTOMER-VPN CUSTOMER-VPN<BR />Additional Information:<BR />Static translate ##.138.220.70/2000 to ##.138.220.70/2000<BR />Forward Flow based lookup yields rule:<BR />in id=0x774a6fb8, priority=6, domain=nat, deny=false<BR />hits=65, user_data=0x75c87438, cs_id=0x0, flags=0x0, protocol=0<BR />src ip/id=##.138.220.70, mask=255.255.255.255, port=0, tag=0<BR />dst ip/id=#.223.248.13, mask=255.255.255.255, port=0, tag=0, dscp=0x0<BR />input_ifc=outside, output_ifc=inside</P><P>Phase: 4<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x757732a8, priority=1, domain=nat-per-session, deny=true<BR />hits=5344794649, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0<BR />input_ifc=any, output_ifc=any</P><P>Phase: 5<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x7582a7d0, priority=0, domain=inspect-ip-options, deny=true<BR />hits=4256517931, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Phase: 6<BR />Type: VPN<BR />Subtype: ipsec-tunnel-flow<BR />Result: DROP<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x79902f80, priority=70, domain=ipsec-tunnel-flow, deny=false<BR />hits=699, user_data=0x27e77104, cs_id=0x7da6de88, reverse, flags=0x0, protocol=0<BR />src ip/id=##.138.220.70, mask=255.255.255.255, port=0, tag=0<BR />dst ip/id=#.223.248.0, mask=255.255.255.128, port=0, tag=0, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Result:<BR />input-interface: OUTSIDE<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P><P>ASA5520-A(config)#</P> Thu, 22 Oct 2020 17:06:02 GMT ABaker94985 2020-10-22T17:06:02Z https://community.cisco.com/t5/network-security/problem-with-traffic-through-ipsec-site-to-site-tunnel/m-p/4171966#M1075056 <P>Traffic was flowing through this tunnel but recently stopped. When doing a packet-trace on the outside interface using a valid IP from our customer, the following results, and I can't figure out why Phase: 6 denies the flow. Any thoughts? This tunnel is up, and I see bidirectional traffic on phase 2. Thank you.</P><P>&nbsp;</P><P>packet-tracer input outside tcp ##.138.220.70 2000 #.223.248.13 21 det</P><P>&nbsp;</P><P>Phase: 1<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />nat (inside,outside) source static obj-172.16.11.10 obj-#.223.248.13 destination static CUSTOMER-VPN CUSTOMER-VPN<BR />Additional Information:<BR />NAT divert to egress interface inside<BR />Untranslate #.223.248.13/21 to 172.16.11.10/21</P><P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group OUTSIDE in interface outside<BR />access-list OUTSIDE extended permit ip object-group CUSTOMER-VPN host 172.16.11.10<BR />access-list OUTSIDE remark Permit restricted ICMP traffic<BR />object-group network CUSTOMER-VPN<BR />network-object 192.168.2.0 255.255.255.0<BR />...<BR />network-object host 192.168.107.24<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x78394aa8, priority=13, domain=permit, deny=false<BR />hits=3, user_data=0x70f79d00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0<BR />src ip/id=##.138.220.70, mask=255.255.255.255, port=0, tag=0<BR />dst ip/id=172.16.11.10, mask=255.255.255.255, port=0, tag=0, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Phase: 3<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />nat (inside,outside) source static obj-172.16.11.10 obj-#.223.248.13 destination static CUSTOMER-VPN CUSTOMER-VPN<BR />Additional Information:<BR />Static translate ##.138.220.70/2000 to ##.138.220.70/2000<BR />Forward Flow based lookup yields rule:<BR />in id=0x774a6fb8, priority=6, domain=nat, deny=false<BR />hits=65, user_data=0x75c87438, cs_id=0x0, flags=0x0, protocol=0<BR />src ip/id=##.138.220.70, mask=255.255.255.255, port=0, tag=0<BR />dst ip/id=#.223.248.13, mask=255.255.255.255, port=0, tag=0, dscp=0x0<BR />input_ifc=outside, output_ifc=inside</P><P>Phase: 4<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x757732a8, priority=1, domain=nat-per-session, deny=true<BR />hits=5344794649, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0<BR />input_ifc=any, output_ifc=any</P><P>Phase: 5<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x7582a7d0, priority=0, domain=inspect-ip-options, deny=true<BR />hits=4256517931, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Phase: 6<BR />Type: VPN<BR />Subtype: ipsec-tunnel-flow<BR />Result: DROP<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x79902f80, priority=70, domain=ipsec-tunnel-flow, deny=false<BR />hits=699, user_data=0x27e77104, cs_id=0x7da6de88, reverse, flags=0x0, protocol=0<BR />src ip/id=##.138.220.70, mask=255.255.255.255, port=0, tag=0<BR />dst ip/id=#.223.248.0, mask=255.255.255.128, port=0, tag=0, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Result:<BR />input-interface: OUTSIDE<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P><P>ASA5520-A(config)#</P> Thu, 22 Oct 2020 17:06:02 GMT https://community.cisco.com/t5/network-security/problem-with-traffic-through-ipsec-site-to-site-tunnel/m-p/4171966#M1075056 ABaker94985 2020-10-22T17:06:02Z https://community.cisco.com/t5/network-security/problem-with-traffic-through-ipsec-site-to-site-tunnel/m-p/4172033#M1075061 <P>Inside have by default permit any any<BR />but if you config any ACL on inside interface then this ACL will end with deny any any<BR />so please change the ACL with add permit traffic through the tunnel.&nbsp;</P> Thu, 22 Oct 2020 18:16:30 GMT https://community.cisco.com/t5/network-security/problem-with-traffic-through-ipsec-site-to-site-tunnel/m-p/4172033#M1075061 MHM Cisco World 2020-10-22T18:16:30Z https://community.cisco.com/t5/network-security/problem-with-traffic-through-ipsec-site-to-site-tunnel/m-p/4172055#M1075062 <P>Thanks for the response, but there is an ACL on the inside, which ends with "permit ip any any." I figured out the source of the problem, but I'm not sure why the configuration is incorrect. I did a packet-trace (<SPAN>packet-tracer input outside tcp ##.138.220.70 2000 172.16.11.10 21 det) where I&nbsp;&nbsp;</SPAN>accidentally changed the destination from the public address to the private address, and the packet-trace finished successfully . I need to figure out why NATing isn't working.&nbsp;</P> Thu, 22 Oct 2020 18:53:29 GMT https://community.cisco.com/t5/network-security/problem-with-traffic-through-ipsec-site-to-site-tunnel/m-p/4172055#M1075062 ABaker94985 2020-10-22T18:53:29Z https://community.cisco.com/t5/network-security/problem-with-traffic-through-ipsec-site-to-site-tunnel/m-p/4172056#M1075063 <P>I might add that when I do the packet-trace from the inside to the remote end of the VPN tunnel, there is a phase where 172.16.11.10 is translater to&nbsp;<SPAN>#.223.248.13.&nbsp;</SPAN></P> Thu, 22 Oct 2020 18:57:19 GMT https://community.cisco.com/t5/network-security/problem-with-traffic-through-ipsec-site-to-site-tunnel/m-p/4172056#M1075063 ABaker94985 2020-10-22T18:57:19Z