https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931255#M1104684 <P>Do you have any internal dns server ?</P> Thu, 28 Sep 2023 20:59:16 GMT MHM Cisco World 2023-09-28T20:59:16Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4930942#M1104653 <P>I am having issues with my ASA not transferring traffic from VPN subnet to internal subnet. VPN is 10.1.1.0/24 subnet and internal is 172.16.10.0/24 subnet.&nbsp;</P> <P>: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)<BR />:<BR />ASA Version 9.9(2)61<BR />!<BR />hostname ciscoasa<BR />enable password xxx xxx<BR />names</P> <P>!<BR />interface GigabitEthernet1/1<BR />nameif outside<BR />security-level 0<BR />ip address dhcp setroute<BR />!<BR />interface GigabitEthernet1/2<BR />bridge-group 1<BR />nameif inside_1<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/3<BR />bridge-group 1<BR />nameif inside_2<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/4<BR />bridge-group 1<BR />nameif inside_3<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/5<BR />bridge-group 1<BR />nameif inside_4<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/6<BR />bridge-group 1<BR />nameif inside_5<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/7<BR />bridge-group 1<BR />nameif inside_6<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/8<BR />bridge-group 1<BR />nameif inside_7<BR />security-level 100<BR />!<BR />interface Management1/1<BR />management-only<BR />no nameif<BR />no security-level<BR />no ip address<BR />!<BR />interface BVI1<BR />nameif inside<BR />security-level 100<BR />ip address 192.168.1.1 255.255.255.0<BR />!<BR />ftp mode passive<BR />same-security-traffic permit inter-interface<BR />object network obj_any1<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any2<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any3<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any4<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any5<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any6<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any7<BR />subnet 0.0.0.0 0.0.0.0<BR />pager lines 24<BR />logging asdm informational<BR />mtu outside 1500<BR />mtu inside_1 1500<BR />mtu inside_2 1500<BR />mtu inside_3 1500<BR />mtu inside_4 1500<BR />mtu inside_5 1500<BR />mtu inside_6 1500<BR />mtu inside_7 1500<BR />no failover<BR />no monitor-interface inside<BR />no monitor-interface service-module<BR />icmp unreachable rate-limit 1 burst-size 1<BR />no asdm history enable<BR />arp timeout 14400<BR />no arp permit-nonconnected<BR />arp rate-limit 16384<BR />!<BR />object network obj_any1<BR />nat (inside_1,outside) dynamic interface<BR />object network obj_any2<BR />nat (inside_2,outside) dynamic interface<BR />object network obj_any3<BR />nat (inside_3,outside) dynamic interface<BR />object network obj_any4<BR />nat (inside_4,outside) dynamic interface<BR />object network obj_any5<BR />nat (inside_5,outside) dynamic interface<BR />object network obj_any6<BR />nat (inside_6,outside) dynamic interface<BR />object network obj_any7<BR />nat (inside_7,outside) dynamic interface<BR />timeout xlate 3:00:00<BR />timeout pat-xlate 0:00:30<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />timeout floating-conn 0:00:00<BR />timeout conn-holddown 0:00:15<BR />timeout igp stale-route 0:01:10<BR />user-identity default-domain LOCAL<BR />aaa authentication login-history<BR />http server enable<BR />http 192.168.1.0 255.255.255.0 inside_1<BR />http 192.168.1.0 255.255.255.0 inside_2<BR />http 192.168.1.0 255.255.255.0 inside_3<BR />http 192.168.1.0 255.255.255.0 inside_4<BR />http 192.168.1.0 255.255.255.0 inside_5<BR />http 192.168.1.0 255.255.255.0 inside_6<BR />http 192.168.1.0 255.255.255.0 inside_7<BR />no snmp-server location<BR />no snmp-server contact<BR />service sw-reset-button<BR />crypto ipsec security-association pmtu-aging infinite<BR />crypto ca trustpool policy<BR />telnet timeout 5<BR />ssh stricthostkeycheck<BR />ssh timeout 5<BR />ssh version 2<BR />ssh key-exchange group dh-group1-sha1<BR />console timeout 0</P> <P>dhcpd auto_config outside<BR />!<BR />dhcpd address 192.168.1.5-192.168.1.254 inside<BR />dhcpd enable inside<BR />!<BR />threat-detection basic-threat<BR />threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept<BR />dynamic-access-policy-record DfltAccessPolicy<BR />!<BR />class-map inspection_default<BR />match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR />parameters<BR />message-length maximum client auto<BR />message-length maximum 512<BR />no tcp-inspection<BR />policy-map global_policy<BR />class inspection_default<BR />inspect dns preset_dns_map<BR />inspect ftp<BR />inspect h323 h225<BR />inspect h323 ras<BR />inspect rsh<BR />inspect rtsp<BR />inspect esmtp<BR />inspect sqlnet<BR />inspect skinny<BR />inspect sunrpc<BR />inspect xdmcp<BR />inspect sip<BR />inspect netbios<BR />inspect tftp<BR />inspect ip-options<BR />!<BR />service-policy global_policy global<BR />prompt hostname context<BR />Cryptochecksum:8d4178d35b9e92dae51bd1cbacee04e4<BR />: end</P> <P>&nbsp;</P> Thu, 28 Sep 2023 17:11:36 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4930942#M1104653 bpierce1046 2023-09-28T17:11:36Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931142#M1104663 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1602915">@bpierce1046</a> is that your full configuration?....it does not have any VPN configuration.</P> <P>You'll probably need a NAT exemption rule to ensure the traffic between the networks is not unintentially translated, example:-</P> <PRE>nat (inside,outside) source static LAN-NET LAN-NET destination static VPN-NET VPN-NET</PRE> <P>Create an object LAN-NET to reflect your internal network and another object VPN-NET to reflect the VPN network and then just replace "inside" with your actually internal interface name.</P> Thu, 28 Sep 2023 17:33:01 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931142#M1104663 Rob Ingram 2023-09-28T17:33:01Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931144#M1104664 <P>This not complete config share vpn config.&nbsp;</P> Thu, 28 Sep 2023 17:38:15 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931144#M1104664 MHM Cisco World 2023-09-28T17:38:15Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931178#M1104670 <P>actual config.&nbsp;</P> <P>&nbsp;</P> <P><BR />:<BR />ASA Version 9.9(2)61<BR />!<BR />hostname ciscoasa<BR />enable password X.X.X<BR />names<BR />ip local pool anyconnect-subnet 10.1.1.5-10.1.1.250 mask 255.255.255.0</P> <P>!<BR />interface GigabitEthernet1/1<BR />nameif outside<BR />security-level 0<BR />ip address 10.10.20.33 255.255.0.0<BR />!<BR />interface GigabitEthernet1/2<BR />nameif INSIDE-1<BR />security-level 100<BR />ip address 172.16.10.1 255.255.255.0<BR />!<BR />interface GigabitEthernet1/3<BR />bridge-group 1<BR />nameif inside_2<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/4<BR />bridge-group 1<BR />nameif inside_3<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/5<BR />bridge-group 1<BR />nameif inside_4<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/6<BR />bridge-group 1<BR />nameif inside_5<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/7<BR />bridge-group 1<BR />nameif inside_6<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/8<BR />bridge-group 1<BR />nameif inside_7<BR />security-level 100<BR />!<BR />interface Management1/1<BR />management-only<BR />no nameif<BR />no security-level<BR />no ip address<BR />!<BR />interface BVI1<BR />nameif inside<BR />security-level 100<BR />ip address 192.168.1.1 255.255.255.0<BR />!<BR />ftp mode passive<BR />same-security-traffic permit inter-interface<BR />same-security-traffic permit intra-interface<BR />object network obj_any1<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any2<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any3<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any4<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any5<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any6<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any7<BR />subnet 0.0.0.0 0.0.0.0<BR />object network anyconnect-subnet<BR />subnet 10.1.1.0 255.255.255.0<BR />access-list OUTSIDE_to_IN extended permit ip object anyconnect-subnet any<BR />pager lines 24<BR />logging asdm informational<BR />mtu outside 1500<BR />mtu INSIDE-1 1500<BR />mtu inside_2 1500<BR />mtu inside_3 1500<BR />mtu inside_4 1500<BR />mtu inside_5 1500<BR />mtu inside_6 1500<BR />mtu inside_7 1500<BR />no failover<BR />no monitor-interface inside<BR />no monitor-interface service-module<BR />icmp unreachable rate-limit 1 burst-size 1<BR />no asdm history enable<BR />arp timeout 14400<BR />no arp permit-nonconnected<BR />arp rate-limit 16384<BR />!<BR />object network obj_any2<BR />nat (inside_2,outside) dynamic interface<BR />object network obj_any3<BR />nat (inside_3,outside) dynamic interface<BR />object network obj_any4<BR />nat (inside_4,outside) dynamic interface<BR />object network obj_any5<BR />nat (inside_5,outside) dynamic interface<BR />object network obj_any6<BR />nat (inside_6,outside) dynamic interface<BR />object network obj_any7<BR />nat (inside_7,outside) dynamic interface<BR />object network anyconnect-subnet<BR />nat (outside,outside) dynamic interface<BR />access-group OUTSIDE_to_IN in interface outside<BR />route outside 0.0.0.0 0.0.0.0 10.10.0.1 1<BR />timeout xlate 3:00:00<BR />timeout pat-xlate 0:00:30<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />timeout floating-conn 0:00:00<BR />timeout conn-holddown 0:00:15<BR />timeout igp stale-route 0:01:10<BR />user-identity default-domain LOCAL<BR />aaa authentication ssh console LOCAL<BR />aaa authorization exec LOCAL<BR />aaa authentication login-history<BR />http server enable<BR />http 192.168.1.0 255.255.255.0 inside_2<BR />http 192.168.1.0 255.255.255.0 inside_3<BR />http 192.168.1.0 255.255.255.0 inside_4<BR />http 192.168.1.0 255.255.255.0 inside_5<BR />http 192.168.1.0 255.255.255.0 inside_6<BR />http 192.168.1.0 255.255.255.0 inside_7<BR />no snmp-server location<BR />no snmp-server contact<BR />service sw-reset-button<BR />crypto ipsec security-association pmtu-aging infinite<BR />crypto ca trustpool policy<BR />telnet timeout 5<BR />ssh stricthostkeycheck<BR />ssh timeout 5<BR />ssh version 2<BR />ssh key-exchange group dh-group1-sha1<BR />console timeout 0</P> <P>dhcpd auto_config outside<BR />!<BR />dhcpd address 192.168.1.5-192.168.1.254 inside<BR />dhcpd enable inside<BR />!<BR />threat-detection basic-threat<BR />threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept<BR />webvpn<BR />enable outside<BR />anyconnect image disk0:/anyconnect-linux64-4.10.05095-webdeploy-k9.pkg 1<BR />anyconnect enable<BR />tunnel-group-list enable<BR />cache<BR />disable<BR />error-recovery disable<BR />group-policy ANYCONNECT-GROUP-POLICY internal<BR />group-policy ANYCONNECT-GROUP-POLICY attributes<BR />dns-server value 8.8.8.8<BR />vpn-tunnel-protocol ssl-client<BR />default-domain value packet.lan<BR />dynamic-access-policy-record DfltAccessPolicy<BR />username user1 password X.X.X<BR />username user1 attributes<BR />service-type remote-access<BR />tunnel-group ANYCONNECT-TUNNEL-GROUP type remote-access<BR />tunnel-group ANYCONNECT-TUNNEL-GROUP general-attributes<BR />address-pool anyconnect-subnet<BR />default-group-policy ANYCONNECT-GROUP-POLICY<BR />tunnel-group ANYCONNECT-TUNNEL-GROUP webvpn-attributes<BR />group-alias Packetswitch-VPN enable<BR />!<BR />class-map inspection_default<BR />match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR />parameters<BR />message-length maximum client auto<BR />message-length maximum 512<BR />no tcp-inspection<BR />policy-map global_policy<BR />class inspection_default<BR />inspect dns preset_dns_map<BR />inspect ftp<BR />inspect h323 h225<BR />inspect h323 ras<BR />inspect rsh<BR />inspect rtsp<BR />inspect esmtp<BR />inspect sqlnet<BR />inspect skinny<BR />inspect sunrpc<BR />inspect xdmcp<BR />inspect sip<BR />inspect netbios<BR />inspect tftp<BR />inspect ip-options<BR />!<BR />service-policy global_policy global<BR />prompt hostname context<BR />no call-home reporting anonymous<BR />Cryptochecksum:a75562b09bc9aa9380f81583fb10044e<BR />: end</P> Fri, 29 Sep 2023 01:55:56 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931178#M1104670 bpierce1046 2023-09-29T01:55:56Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931183#M1104671 <P>Where is the config of anyconnect pool ?</P> <P>I see only object not pool' so I think the vpn not get IP</P> Thu, 28 Sep 2023 18:40:17 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931183#M1104671 MHM Cisco World 2023-09-28T18:40:17Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931194#M1104672 <P>When connected it seems to get an internal IP.&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bpierce1046_0-1695927208843.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/198425iC78967B8FCDB3AEF/image-size/medium?v=v2&amp;px=400" role="button" title="bpierce1046_0-1695927208843.png" alt="bpierce1046_0-1695927208843.png" /></span></P><P>&nbsp;</P> Thu, 28 Sep 2023 18:53:57 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931194#M1104672 bpierce1046 2023-09-28T18:53:57Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931198#M1104673 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1602915">@bpierce1046</a> as stated in my previous message above, configure NAT exemption to ensure the traffic between the internal network and vpn pool is not unintentially translated by your other auto NAT rules.</P> <P>If that does not work, run packet-tracer from the CLI to simulate the traffic flow and provide the output for review.</P> Thu, 28 Sep 2023 18:57:28 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931198#M1104673 Rob Ingram 2023-09-28T18:57:28Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931201#M1104674 <P><SPAN>I found the pool config&nbsp;</SPAN></P> <P><SPAN>ip local pool anyconnect-subnet 10.1.1.5-10.1.1.250 mask 255.255.255.0</SPAN></P> <P><SPAN>And your share I see the anyconnect get IP from pool that good&nbsp;</SPAN></P> <P>Other things I see is dyanimc policy&nbsp;</P> <P><SPAN>dynamic-access-policy-record DfltAccessPolicy !!!</SPAN></P> <P><SPAN>This why you use it ?</SPAN></P> Thu, 28 Sep 2023 19:03:11 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931201#M1104674 MHM Cisco World 2023-09-28T19:03:11Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931215#M1104675 <P>The packet tracer allows but you can see it doesn't from the VPN client. it allows http and https through.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bpierce1046_0-1695929546483.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/198426iEA0DC66DC5CB92D2/image-size/medium?v=v2&amp;px=400" role="button" title="bpierce1046_0-1695929546483.png" alt="bpierce1046_0-1695929546483.png" /></span></P><P>&nbsp;</P><P>ciscoasa(config)# packet-tracer input OUTSIDE tcp 10.1.1.6 80 172.16.10.10 80</P><P>Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list</P><P>Phase: 2<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />NAT divert to egress interface INSIDE-1<BR />Untranslate 172.16.10.10/80 to 172.16.10.10/80</P><P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group OUTSIDE_to_IN in interface outside<BR />access-list OUTSIDE_to_IN extended permit ip object anyconnect-subnet any<BR />Additional Information:</P><P>Phase: 4<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />Static translate 10.1.1.6/80 to 10.1.1.6/80</P><P>Phase: 5<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 6<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 7<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:</P><P>Phase: 8<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 9<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 10<BR />Type: FLOW-CREATION<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 304, packet dispatched to next module</P><P>Phase: 11<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 172.16.10.10 using egress ifc INSIDE-1</P><P>Phase: 12<BR />Type: ADJACENCY-LOOKUP<BR />Subtype: next-hop and adjacency<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />adjacency Active<BR />next-hop mac address b827.eb3a.797f hits 2 reference 1</P><P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: INSIDE-1<BR />output-status: up<BR />output-line-status: up<BR />Action: allow</P><P>ciscoasa(config)# packet-tracer input OUTSIDE tcp 10.1.1.6 443 172.16.10.10 443</P><P>Phase: 1<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />NAT divert to egress interface INSIDE-1<BR />Untranslate 172.16.10.10/443 to 172.16.10.10/443</P><P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group OUTSIDE_to_IN in interface outside<BR />access-list OUTSIDE_to_IN extended permit ip object anyconnect-subnet any<BR />Additional Information:</P><P>Phase: 3<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />Static translate 10.1.1.6/443 to 10.1.1.6/443</P><P>Phase: 4<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 5<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 6<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:</P><P>Phase: 7<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 8<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 9<BR />Type: FLOW-CREATION<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 311, packet dispatched to next module</P><P>Phase: 10<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 172.16.10.10 using egress ifc INSIDE-1</P><P>Phase: 11<BR />Type: ADJACENCY-LOOKUP<BR />Subtype: next-hop and adjacency<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />adjacency Active<BR />next-hop mac address b827.eb3a.797f hits 3 reference 1</P><P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: INSIDE-1<BR />output-status: up<BR />output-line-status: up<BR />Action: allow</P><P>&nbsp;</P> Thu, 28 Sep 2023 19:33:38 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931215#M1104675 bpierce1046 2023-09-28T19:33:38Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931220#M1104676 <P>Check below note</P> <P>You push&nbsp;<SPAN>dns-server value 8.8.8.8 to anyconnect and you use tunnel all this why thr http/https is not work in real.</SPAN></P> <P><SPAN>Use same packet tracer but instead use 8.8.8.8 as destiantion and check if it sucess or failed.</SPAN></P> <P><SPAN>I sure it fialed you need to push internal dns server to anyconnect or use U-turn nat for anyconnect to connect to google dns server&nbsp;</SPAN></P> Thu, 28 Sep 2023 19:42:11 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931220#M1104676 MHM Cisco World 2023-09-28T19:42:11Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931221#M1104677 <P>Also when i try ICMP i get a failed.</P><P><BR />Result:<BR />input-interface: INSIDE-1<BR />input-status: up<BR />input-line-status: up<BR />output-interface: outside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (no-adjacency) No valid adjacency</P> Thu, 28 Sep 2023 19:42:33 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931221#M1104677 bpierce1046 2023-09-28T19:42:33Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931227#M1104678 <P>Can I see icmp packet tracer detail&nbsp;</P> Thu, 28 Sep 2023 19:47:56 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931227#M1104678 MHM Cisco World 2023-09-28T19:47:56Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931232#M1104679 <P>ciscoasa# packet-tracer input INSIDE-1 icmp 172.16.10.9 8 0 10.1.1.6 detailed</P><P>Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac2bbb030, priority=1, domain=permit, deny=false<BR />hits=2, user_data=0x0, cs_id=0x0, l3_type=0x8<BR />src mac=0000.0000.0000, mask=0000.0000.0000<BR />dst mac=0000.0000.0000, mask=0100.0000.0000<BR />input_ifc=INSIDE-1, output_ifc=any</P><P>Phase: 2<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />NAT divert to egress interface outside<BR />Untranslate 10.1.1.6/0 to 10.1.1.6/0</P><P>Phase: 3<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />Static translate 172.16.10.9/0 to 172.16.10.9/0<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaab9b8ebd0, priority=6, domain=nat, deny=false<BR />hits=0, user_data=0x2aaac3bdd610, cs_id=0x0, flags=0x0, protocol=0<BR />src ip/id=172.16.10.0, mask=255.255.255.0, port=0, tag=any<BR />dst ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0<BR />input_ifc=INSIDE-1, output_ifc=outside</P><P>Phase: 4<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac1a10280, priority=0, domain=nat-per-session, deny=true<BR />hits=565, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=any, output_ifc=any</P><P>Phase: 5<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac2f1b2d0, priority=0, domain=inspect-ip-options, deny=true<BR />hits=46, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=INSIDE-1, output_ifc=any</P><P>Phase: 6<BR />Type: INSPECT<BR />Subtype: np-inspect<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac2f30b00, priority=66, domain=inspect-icmp-error, deny=false<BR />hits=3, user_data=0x2aaac2c10c40, cs_id=0x0, use_real_addr, flags=0x0, protocol=1<BR />src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0<BR />input_ifc=INSIDE-1, output_ifc=any</P><P>Phase: 7<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />out id=0x2aaab9b8d6b0, priority=6, domain=nat-reverse, deny=false<BR />hits=1, user_data=0x2aaac161f740, cs_id=0x0, use_real_addr, flags=0x0, protocol=0<BR />src ip/id=172.16.10.0, mask=255.255.255.0, port=0, tag=any<BR />dst ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0<BR />input_ifc=INSIDE-1, output_ifc=outside</P><P>Phase: 8<BR />Type: FLOW-CREATION<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 609, packet dispatched to next module<BR />Module information for forward flow ...<BR />snp_fp_inspect_ip_options<BR />snp_fp_inspect_icmp<BR />snp_fp_translate<BR />snp_fp_adjacency<BR />snp_fp_fragment<BR />snp_fp_tracer_drop<BR />snp_ifc_stat</P><P>Module information for reverse flow ...</P><P>Phase: 9<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />NAT divert to egress interface outside<BR />Untranslate 10.1.1.6/0 to 10.1.1.6/0</P><P>Phase: 10<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />Static translate 172.16.10.9/0 to 172.16.10.9/0<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaab9b8ebd0, priority=6, domain=nat, deny=false<BR />hits=1, user_data=0x2aaac3bdd610, cs_id=0x0, flags=0x0, protocol=0<BR />src ip/id=172.16.10.0, mask=255.255.255.0, port=0, tag=any<BR />dst ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0<BR />input_ifc=INSIDE-1, output_ifc=outside</P><P>Phase: 11<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac1a10280, priority=0, domain=nat-per-session, deny=true<BR />hits=566, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=any, output_ifc=any</P><P>Phase: 12<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac2f1b2d0, priority=0, domain=inspect-ip-options, deny=true<BR />hits=47, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=INSIDE-1, output_ifc=any</P><P>Phase: 13<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 10.10.0.1 using egress ifc outside</P><P>Result:<BR />input-interface: INSIDE-1<BR />input-status: up<BR />input-line-status: up<BR />output-interface: outside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (no-adjacency) No valid adjacency</P> Thu, 28 Sep 2023 20:00:01 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931232#M1104679 bpierce1046 2023-09-28T20:00:01Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931236#M1104680 <P><SPAN>ciscoasa# packet-tracer input outside&nbsp; icmp 10.1.1.6 8 0&nbsp; 172.16.10.9 detailed</SPAN></P> <P><SPAN>Do this way&nbsp;</SPAN></P> Thu, 28 Sep 2023 20:11:01 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931236#M1104680 MHM Cisco World 2023-09-28T20:11:01Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931239#M1104681 <P><BR />ciscoasa# packet-tracer input outside icmp 10.1.1.6 8 0 172.16.10.9 detailed</P><P>Phase: 1<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />NAT divert to egress interface INSIDE-1<BR />Untranslate 172.16.10.9/0 to 172.16.10.9/0</P><P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group OUTSIDE_to_IN in interface outside<BR />access-list OUTSIDE_to_IN extended permit ip object anyconnect-subnet any<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaab9b89a30, priority=13, domain=permit, deny=false<BR />hits=3, user_data=0x2aaabbe600c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0<BR />src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Phase: 3<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />Static translate 10.1.1.6/0 to 10.1.1.6/0<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaab9b8bd00, priority=6, domain=nat, deny=false<BR />hits=112, user_data=0x2aaac161f740, cs_id=0x0, flags=0x0, protocol=0<BR />src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any<BR />dst ip/id=172.16.10.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=INSIDE-1</P><P>Phase: 4<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac1a10280, priority=0, domain=nat-per-session, deny=true<BR />hits=827, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=any, output_ifc=any</P><P>Phase: 5<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac2c2e8b0, priority=0, domain=inspect-ip-options, deny=true<BR />hits=1829, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Phase: 6<BR />Type: INSPECT<BR />Subtype: np-inspect<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac2c2e3c0, priority=66, domain=inspect-icmp-error, deny=false<BR />hits=7, user_data=0x2aaac2c2e070, cs_id=0x0, use_real_addr, flags=0x0, protocol=1<BR />src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Phase: 7<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />out id=0x2aaab9b8e4f0, priority=6, domain=nat-reverse, deny=false<BR />hits=113, user_data=0x2aaac3bdd610, cs_id=0x0, use_real_addr, flags=0x0, protocol=0<BR />src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any<BR />dst ip/id=172.16.10.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=INSIDE-1</P><P>Phase: 8<BR />Type: FLOW-CREATION<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 992, packet dispatched to next module<BR />Module information for forward flow ...<BR />snp_fp_inspect_ip_options<BR />snp_fp_inspect_icmp<BR />snp_fp_translate<BR />snp_fp_adjacency<BR />snp_fp_fragment<BR />snp_fp_tracer_drop<BR />snp_ifc_stat</P><P>Module information for reverse flow ...</P><P>Phase: 9<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />NAT divert to egress interface INSIDE-1<BR />Untranslate 172.16.10.9/0 to 172.16.10.9/0</P><P>Phase: 10<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group OUTSIDE_to_IN in interface outside<BR />access-list OUTSIDE_to_IN extended permit ip object anyconnect-subnet any<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaab9b89a30, priority=13, domain=permit, deny=false<BR />hits=4, user_data=0x2aaabbe600c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0<BR />src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Phase: 11<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />Static translate 10.1.1.6/0 to 10.1.1.6/0<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaab9b8bd00, priority=6, domain=nat, deny=false<BR />hits=113, user_data=0x2aaac161f740, cs_id=0x0, flags=0x0, protocol=0<BR />src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any<BR />dst ip/id=172.16.10.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=INSIDE-1</P><P>Phase: 12<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac1a10280, priority=0, domain=nat-per-session, deny=true<BR />hits=828, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=any, output_ifc=any</P><P>Phase: 13<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac2c2e8b0, priority=0, domain=inspect-ip-options, deny=true<BR />hits=1830, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Phase: 14<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 172.16.10.9 using egress ifc INSIDE-1</P><P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: INSIDE-1<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (no-adjacency) No valid adjacency</P> Thu, 28 Sep 2023 20:13:17 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931239#M1104681 bpierce1046 2023-09-28T20:13:17Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931251#M1104682 <P><SPAN>ciscoasa# packet-tracer input outside icmp 10.1.1.6 8 0 <STRONG>172.16.10.10</STRONG> detailed</SPAN></P> <P><SPAN>No adj is appear if the asa dobt have arp entry for this IP' so change it to .10 and check.</SPAN></P> <P><SPAN>I am sure it will success but traffic to dns server will failed.</SPAN></P> <P><SPAN>Check to more more sure&nbsp;</SPAN></P> Thu, 28 Sep 2023 20:36:06 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931251#M1104682 MHM Cisco World 2023-09-28T20:36:06Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931254#M1104683 <P>that worked but it still doesn't work from the client.&nbsp;</P><P>Also, for the internal web-server at 172.16.10.10. Since it cant get to the dns server could that be why the packet is being dropped. That i need to do:</P><PRE>nat (inside,outside) source static 10.1.1.5 172.16.10.10 dns ! policy-map global_policy class inspection_default inspect dns</PRE> Thu, 28 Sep 2023 20:53:55 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931254#M1104683 bpierce1046 2023-09-28T20:53:55Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931255#M1104684 <P>Do you have any internal dns server ?</P> Thu, 28 Sep 2023 20:59:16 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931255#M1104684 MHM Cisco World 2023-09-28T20:59:16Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931291#M1104687 <P>I dont have an internal DNS.&nbsp;</P> Fri, 29 Sep 2023 00:10:47 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931291#M1104687 bpierce1046 2023-09-29T00:10:47Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931383#M1104690 <P>Can you access http server with IP not name ?</P> Fri, 29 Sep 2023 07:07:18 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931383#M1104690 MHM Cisco World 2023-09-29T07:07:18Z