https://community.cisco.com/t5/network-security/cisco-asa/m-p/4409183#M1081080 <P>Like this:</P> <PRE>packet-tracer input &lt;interface name of your inside interface&gt; tcp &lt;source address of any inside host&gt; 1025 &lt;destination address of any remote host&gt; 80</PRE> <P>It doesn't matter if the destination host is listening on port 80 or not. Packet-tracer only creates a synthetic packet for processing into the ASA and displays the results of the packet processing.</P> Thu, 27 May 2021 04:41:47 GMT Marvin Rhoads 2021-05-27T04:41:47Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/4408368#M1081042 <P>Hello,</P><P>&nbsp;</P><P>site to site tunnel is up on the firewall but the packet encap is showing 0.&nbsp;It looks like ASA is not sending any encrypted packet to the tunnel. Any suggestion?</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 25 May 2021 15:41:16 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/4408368#M1081042 Poo17 2021-05-25T15:41:16Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/4408374#M1081043 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/987519">@Poo17</a>&nbsp;</P> <P>It could potentially be the traffic is unintentially natted by an existing nat rule. Or a routing issue from the local switch.</P> <P>Run packet-tracer from the CLI and provide the output.</P> <P>Also provide your configuration and the output of "show nat detail".</P> Tue, 25 May 2021 15:52:41 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/4408374#M1081043 Rob Ingram 2021-05-25T15:52:41Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/4408399#M1081045 <P>Not sure what is the issue, can you show us exmaple config, if the traffic need to go to destination you need to be added in intresting traffic to allow in tunnel. this can be verified your config and ACL.</P> <P>&nbsp;</P> Tue, 25 May 2021 16:39:32 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/4408399#M1081045 balaji.bandi 2021-05-25T16:39:32Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/4409155#M1081079 <P>How to run the packet tracer command?</P> Thu, 27 May 2021 02:53:29 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/4409155#M1081079 Poo17 2021-05-27T02:53:29Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/4409183#M1081080 <P>Like this:</P> <PRE>packet-tracer input &lt;interface name of your inside interface&gt; tcp &lt;source address of any inside host&gt; 1025 &lt;destination address of any remote host&gt; 80</PRE> <P>It doesn't matter if the destination host is listening on port 80 or not. Packet-tracer only creates a synthetic packet for processing into the ASA and displays the results of the packet processing.</P> Thu, 27 May 2021 04:41:47 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/4409183#M1081080 Marvin Rhoads 2021-05-27T04:41:47Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/4409209#M1081084 <P>Thank you, Marvin. This is what I got</P><P>&nbsp;</P><P>ASA# packet-tracer input inside tcp 1.1.1.1 1025 2.2.2.2 80</P><P>Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />in 0.0.0.0 0.0.0.0 via 12.X.X.X, outside</P><P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P><P>Result:<BR />input-interface: inside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: outside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P><P>&nbsp;</P> Thu, 27 May 2021 06:07:36 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/4409209#M1081084 Poo17 2021-05-27T06:07:36Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/4409238#M1081086 <P>Did you use a real inside and outside host address vs. the dummy "1.1.1.1" and "2.2.2.2" you indicated in your reply?</P> <P>If so, then you appear to have an access-list on the inside interface denying the incoming traffic.</P> Thu, 27 May 2021 06:45:57 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/4409238#M1081086 Marvin Rhoads 2021-05-27T06:45:57Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/4409240#M1081087 <P>Yes, I used the real IP address.</P> Thu, 27 May 2021 06:53:24 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/4409240#M1081087 Poo17 2021-05-27T06:53:24Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/4409355#M1081091 <P>So check your ACL (any ACL applied to the interface with "access-group" command in the running-config or appearing in ASDM under the inside interface).</P> Thu, 27 May 2021 10:06:58 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/4409355#M1081091 Marvin Rhoads 2021-05-27T10:06:58Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/4409638#M1081098 <P>ASA# sh run | i access-group<BR />access-group outside_access_in in interface outside<BR />access-group inside_access_in in interface inside</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 27 May 2021 17:11:52 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/4409638#M1081098 Poo17 2021-05-27T17:11:52Z https://community.cisco.com/t5/network-security/cisco-asa/m-p/4409762#M1081102 <P>Need to check the access-list inside_access_in.</P> Thu, 27 May 2021 20:57:31 GMT https://community.cisco.com/t5/network-security/cisco-asa/m-p/4409762#M1081102 Marvin Rhoads 2021-05-27T20:57:31Z