https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931705#M1104710 <P>did you add the inspect icmp command to the global policy-map?</P> <P>Based on the capture output, the issue looks to be between the ASA and the server.</P> <P>Have you verified the default gateway on the server? is the server using the ASA as the default gateway or is it using another device as default gateway? If it is using another switch or router as a default gateway is routing to the 10.1.1.0/24 network correctly configured on that device?</P> Fri, 29 Sep 2023 17:12:26 GMT Marius Gunnerud 2023-09-29T17:12:26Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4930942#M1104653 <P>I am having issues with my ASA not transferring traffic from VPN subnet to internal subnet. VPN is 10.1.1.0/24 subnet and internal is 172.16.10.0/24 subnet.&nbsp;</P> <P>: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)<BR />:<BR />ASA Version 9.9(2)61<BR />!<BR />hostname ciscoasa<BR />enable password xxx xxx<BR />names</P> <P>!<BR />interface GigabitEthernet1/1<BR />nameif outside<BR />security-level 0<BR />ip address dhcp setroute<BR />!<BR />interface GigabitEthernet1/2<BR />bridge-group 1<BR />nameif inside_1<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/3<BR />bridge-group 1<BR />nameif inside_2<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/4<BR />bridge-group 1<BR />nameif inside_3<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/5<BR />bridge-group 1<BR />nameif inside_4<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/6<BR />bridge-group 1<BR />nameif inside_5<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/7<BR />bridge-group 1<BR />nameif inside_6<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/8<BR />bridge-group 1<BR />nameif inside_7<BR />security-level 100<BR />!<BR />interface Management1/1<BR />management-only<BR />no nameif<BR />no security-level<BR />no ip address<BR />!<BR />interface BVI1<BR />nameif inside<BR />security-level 100<BR />ip address 192.168.1.1 255.255.255.0<BR />!<BR />ftp mode passive<BR />same-security-traffic permit inter-interface<BR />object network obj_any1<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any2<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any3<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any4<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any5<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any6<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any7<BR />subnet 0.0.0.0 0.0.0.0<BR />pager lines 24<BR />logging asdm informational<BR />mtu outside 1500<BR />mtu inside_1 1500<BR />mtu inside_2 1500<BR />mtu inside_3 1500<BR />mtu inside_4 1500<BR />mtu inside_5 1500<BR />mtu inside_6 1500<BR />mtu inside_7 1500<BR />no failover<BR />no monitor-interface inside<BR />no monitor-interface service-module<BR />icmp unreachable rate-limit 1 burst-size 1<BR />no asdm history enable<BR />arp timeout 14400<BR />no arp permit-nonconnected<BR />arp rate-limit 16384<BR />!<BR />object network obj_any1<BR />nat (inside_1,outside) dynamic interface<BR />object network obj_any2<BR />nat (inside_2,outside) dynamic interface<BR />object network obj_any3<BR />nat (inside_3,outside) dynamic interface<BR />object network obj_any4<BR />nat (inside_4,outside) dynamic interface<BR />object network obj_any5<BR />nat (inside_5,outside) dynamic interface<BR />object network obj_any6<BR />nat (inside_6,outside) dynamic interface<BR />object network obj_any7<BR />nat (inside_7,outside) dynamic interface<BR />timeout xlate 3:00:00<BR />timeout pat-xlate 0:00:30<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />timeout floating-conn 0:00:00<BR />timeout conn-holddown 0:00:15<BR />timeout igp stale-route 0:01:10<BR />user-identity default-domain LOCAL<BR />aaa authentication login-history<BR />http server enable<BR />http 192.168.1.0 255.255.255.0 inside_1<BR />http 192.168.1.0 255.255.255.0 inside_2<BR />http 192.168.1.0 255.255.255.0 inside_3<BR />http 192.168.1.0 255.255.255.0 inside_4<BR />http 192.168.1.0 255.255.255.0 inside_5<BR />http 192.168.1.0 255.255.255.0 inside_6<BR />http 192.168.1.0 255.255.255.0 inside_7<BR />no snmp-server location<BR />no snmp-server contact<BR />service sw-reset-button<BR />crypto ipsec security-association pmtu-aging infinite<BR />crypto ca trustpool policy<BR />telnet timeout 5<BR />ssh stricthostkeycheck<BR />ssh timeout 5<BR />ssh version 2<BR />ssh key-exchange group dh-group1-sha1<BR />console timeout 0</P> <P>dhcpd auto_config outside<BR />!<BR />dhcpd address 192.168.1.5-192.168.1.254 inside<BR />dhcpd enable inside<BR />!<BR />threat-detection basic-threat<BR />threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept<BR />dynamic-access-policy-record DfltAccessPolicy<BR />!<BR />class-map inspection_default<BR />match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR />parameters<BR />message-length maximum client auto<BR />message-length maximum 512<BR />no tcp-inspection<BR />policy-map global_policy<BR />class inspection_default<BR />inspect dns preset_dns_map<BR />inspect ftp<BR />inspect h323 h225<BR />inspect h323 ras<BR />inspect rsh<BR />inspect rtsp<BR />inspect esmtp<BR />inspect sqlnet<BR />inspect skinny<BR />inspect sunrpc<BR />inspect xdmcp<BR />inspect sip<BR />inspect netbios<BR />inspect tftp<BR />inspect ip-options<BR />!<BR />service-policy global_policy global<BR />prompt hostname context<BR />Cryptochecksum:8d4178d35b9e92dae51bd1cbacee04e4<BR />: end</P> <P>&nbsp;</P> Thu, 28 Sep 2023 17:11:36 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4930942#M1104653 bpierce1046 2023-09-28T17:11:36Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931142#M1104663 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1602915">@bpierce1046</a> is that your full configuration?....it does not have any VPN configuration.</P> <P>You'll probably need a NAT exemption rule to ensure the traffic between the networks is not unintentially translated, example:-</P> <PRE>nat (inside,outside) source static LAN-NET LAN-NET destination static VPN-NET VPN-NET</PRE> <P>Create an object LAN-NET to reflect your internal network and another object VPN-NET to reflect the VPN network and then just replace "inside" with your actually internal interface name.</P> Thu, 28 Sep 2023 17:33:01 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931142#M1104663 Rob Ingram 2023-09-28T17:33:01Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931144#M1104664 <P>This not complete config share vpn config.&nbsp;</P> Thu, 28 Sep 2023 17:38:15 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931144#M1104664 MHM Cisco World 2023-09-28T17:38:15Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931178#M1104670 <P>actual config.&nbsp;</P> <P>&nbsp;</P> <P><BR />:<BR />ASA Version 9.9(2)61<BR />!<BR />hostname ciscoasa<BR />enable password X.X.X<BR />names<BR />ip local pool anyconnect-subnet 10.1.1.5-10.1.1.250 mask 255.255.255.0</P> <P>!<BR />interface GigabitEthernet1/1<BR />nameif outside<BR />security-level 0<BR />ip address 10.10.20.33 255.255.0.0<BR />!<BR />interface GigabitEthernet1/2<BR />nameif INSIDE-1<BR />security-level 100<BR />ip address 172.16.10.1 255.255.255.0<BR />!<BR />interface GigabitEthernet1/3<BR />bridge-group 1<BR />nameif inside_2<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/4<BR />bridge-group 1<BR />nameif inside_3<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/5<BR />bridge-group 1<BR />nameif inside_4<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/6<BR />bridge-group 1<BR />nameif inside_5<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/7<BR />bridge-group 1<BR />nameif inside_6<BR />security-level 100<BR />!<BR />interface GigabitEthernet1/8<BR />bridge-group 1<BR />nameif inside_7<BR />security-level 100<BR />!<BR />interface Management1/1<BR />management-only<BR />no nameif<BR />no security-level<BR />no ip address<BR />!<BR />interface BVI1<BR />nameif inside<BR />security-level 100<BR />ip address 192.168.1.1 255.255.255.0<BR />!<BR />ftp mode passive<BR />same-security-traffic permit inter-interface<BR />same-security-traffic permit intra-interface<BR />object network obj_any1<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any2<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any3<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any4<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any5<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any6<BR />subnet 0.0.0.0 0.0.0.0<BR />object network obj_any7<BR />subnet 0.0.0.0 0.0.0.0<BR />object network anyconnect-subnet<BR />subnet 10.1.1.0 255.255.255.0<BR />access-list OUTSIDE_to_IN extended permit ip object anyconnect-subnet any<BR />pager lines 24<BR />logging asdm informational<BR />mtu outside 1500<BR />mtu INSIDE-1 1500<BR />mtu inside_2 1500<BR />mtu inside_3 1500<BR />mtu inside_4 1500<BR />mtu inside_5 1500<BR />mtu inside_6 1500<BR />mtu inside_7 1500<BR />no failover<BR />no monitor-interface inside<BR />no monitor-interface service-module<BR />icmp unreachable rate-limit 1 burst-size 1<BR />no asdm history enable<BR />arp timeout 14400<BR />no arp permit-nonconnected<BR />arp rate-limit 16384<BR />!<BR />object network obj_any2<BR />nat (inside_2,outside) dynamic interface<BR />object network obj_any3<BR />nat (inside_3,outside) dynamic interface<BR />object network obj_any4<BR />nat (inside_4,outside) dynamic interface<BR />object network obj_any5<BR />nat (inside_5,outside) dynamic interface<BR />object network obj_any6<BR />nat (inside_6,outside) dynamic interface<BR />object network obj_any7<BR />nat (inside_7,outside) dynamic interface<BR />object network anyconnect-subnet<BR />nat (outside,outside) dynamic interface<BR />access-group OUTSIDE_to_IN in interface outside<BR />route outside 0.0.0.0 0.0.0.0 10.10.0.1 1<BR />timeout xlate 3:00:00<BR />timeout pat-xlate 0:00:30<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />timeout floating-conn 0:00:00<BR />timeout conn-holddown 0:00:15<BR />timeout igp stale-route 0:01:10<BR />user-identity default-domain LOCAL<BR />aaa authentication ssh console LOCAL<BR />aaa authorization exec LOCAL<BR />aaa authentication login-history<BR />http server enable<BR />http 192.168.1.0 255.255.255.0 inside_2<BR />http 192.168.1.0 255.255.255.0 inside_3<BR />http 192.168.1.0 255.255.255.0 inside_4<BR />http 192.168.1.0 255.255.255.0 inside_5<BR />http 192.168.1.0 255.255.255.0 inside_6<BR />http 192.168.1.0 255.255.255.0 inside_7<BR />no snmp-server location<BR />no snmp-server contact<BR />service sw-reset-button<BR />crypto ipsec security-association pmtu-aging infinite<BR />crypto ca trustpool policy<BR />telnet timeout 5<BR />ssh stricthostkeycheck<BR />ssh timeout 5<BR />ssh version 2<BR />ssh key-exchange group dh-group1-sha1<BR />console timeout 0</P> <P>dhcpd auto_config outside<BR />!<BR />dhcpd address 192.168.1.5-192.168.1.254 inside<BR />dhcpd enable inside<BR />!<BR />threat-detection basic-threat<BR />threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept<BR />webvpn<BR />enable outside<BR />anyconnect image disk0:/anyconnect-linux64-4.10.05095-webdeploy-k9.pkg 1<BR />anyconnect enable<BR />tunnel-group-list enable<BR />cache<BR />disable<BR />error-recovery disable<BR />group-policy ANYCONNECT-GROUP-POLICY internal<BR />group-policy ANYCONNECT-GROUP-POLICY attributes<BR />dns-server value 8.8.8.8<BR />vpn-tunnel-protocol ssl-client<BR />default-domain value packet.lan<BR />dynamic-access-policy-record DfltAccessPolicy<BR />username user1 password X.X.X<BR />username user1 attributes<BR />service-type remote-access<BR />tunnel-group ANYCONNECT-TUNNEL-GROUP type remote-access<BR />tunnel-group ANYCONNECT-TUNNEL-GROUP general-attributes<BR />address-pool anyconnect-subnet<BR />default-group-policy ANYCONNECT-GROUP-POLICY<BR />tunnel-group ANYCONNECT-TUNNEL-GROUP webvpn-attributes<BR />group-alias Packetswitch-VPN enable<BR />!<BR />class-map inspection_default<BR />match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR />parameters<BR />message-length maximum client auto<BR />message-length maximum 512<BR />no tcp-inspection<BR />policy-map global_policy<BR />class inspection_default<BR />inspect dns preset_dns_map<BR />inspect ftp<BR />inspect h323 h225<BR />inspect h323 ras<BR />inspect rsh<BR />inspect rtsp<BR />inspect esmtp<BR />inspect sqlnet<BR />inspect skinny<BR />inspect sunrpc<BR />inspect xdmcp<BR />inspect sip<BR />inspect netbios<BR />inspect tftp<BR />inspect ip-options<BR />!<BR />service-policy global_policy global<BR />prompt hostname context<BR />no call-home reporting anonymous<BR />Cryptochecksum:a75562b09bc9aa9380f81583fb10044e<BR />: end</P> Fri, 29 Sep 2023 01:55:56 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931178#M1104670 bpierce1046 2023-09-29T01:55:56Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931183#M1104671 <P>Where is the config of anyconnect pool ?</P> <P>I see only object not pool' so I think the vpn not get IP</P> Thu, 28 Sep 2023 18:40:17 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931183#M1104671 MHM Cisco World 2023-09-28T18:40:17Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931194#M1104672 <P>When connected it seems to get an internal IP.&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bpierce1046_0-1695927208843.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/198425iC78967B8FCDB3AEF/image-size/medium?v=v2&amp;px=400" role="button" title="bpierce1046_0-1695927208843.png" alt="bpierce1046_0-1695927208843.png" /></span></P><P>&nbsp;</P> Thu, 28 Sep 2023 18:53:57 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931194#M1104672 bpierce1046 2023-09-28T18:53:57Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931198#M1104673 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1602915">@bpierce1046</a> as stated in my previous message above, configure NAT exemption to ensure the traffic between the internal network and vpn pool is not unintentially translated by your other auto NAT rules.</P> <P>If that does not work, run packet-tracer from the CLI to simulate the traffic flow and provide the output for review.</P> Thu, 28 Sep 2023 18:57:28 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931198#M1104673 Rob Ingram 2023-09-28T18:57:28Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931201#M1104674 <P><SPAN>I found the pool config&nbsp;</SPAN></P> <P><SPAN>ip local pool anyconnect-subnet 10.1.1.5-10.1.1.250 mask 255.255.255.0</SPAN></P> <P><SPAN>And your share I see the anyconnect get IP from pool that good&nbsp;</SPAN></P> <P>Other things I see is dyanimc policy&nbsp;</P> <P><SPAN>dynamic-access-policy-record DfltAccessPolicy !!!</SPAN></P> <P><SPAN>This why you use it ?</SPAN></P> Thu, 28 Sep 2023 19:03:11 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931201#M1104674 MHM Cisco World 2023-09-28T19:03:11Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931215#M1104675 <P>The packet tracer allows but you can see it doesn't from the VPN client. it allows http and https through.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bpierce1046_0-1695929546483.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/198426iEA0DC66DC5CB92D2/image-size/medium?v=v2&amp;px=400" role="button" title="bpierce1046_0-1695929546483.png" alt="bpierce1046_0-1695929546483.png" /></span></P><P>&nbsp;</P><P>ciscoasa(config)# packet-tracer input OUTSIDE tcp 10.1.1.6 80 172.16.10.10 80</P><P>Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />MAC Access list</P><P>Phase: 2<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />NAT divert to egress interface INSIDE-1<BR />Untranslate 172.16.10.10/80 to 172.16.10.10/80</P><P>Phase: 3<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group OUTSIDE_to_IN in interface outside<BR />access-list OUTSIDE_to_IN extended permit ip object anyconnect-subnet any<BR />Additional Information:</P><P>Phase: 4<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />Static translate 10.1.1.6/80 to 10.1.1.6/80</P><P>Phase: 5<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 6<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 7<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:</P><P>Phase: 8<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 9<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 10<BR />Type: FLOW-CREATION<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 304, packet dispatched to next module</P><P>Phase: 11<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 172.16.10.10 using egress ifc INSIDE-1</P><P>Phase: 12<BR />Type: ADJACENCY-LOOKUP<BR />Subtype: next-hop and adjacency<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />adjacency Active<BR />next-hop mac address b827.eb3a.797f hits 2 reference 1</P><P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: INSIDE-1<BR />output-status: up<BR />output-line-status: up<BR />Action: allow</P><P>ciscoasa(config)# packet-tracer input OUTSIDE tcp 10.1.1.6 443 172.16.10.10 443</P><P>Phase: 1<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />NAT divert to egress interface INSIDE-1<BR />Untranslate 172.16.10.10/443 to 172.16.10.10/443</P><P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group OUTSIDE_to_IN in interface outside<BR />access-list OUTSIDE_to_IN extended permit ip object anyconnect-subnet any<BR />Additional Information:</P><P>Phase: 3<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />Static translate 10.1.1.6/443 to 10.1.1.6/443</P><P>Phase: 4<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 5<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 6<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:</P><P>Phase: 7<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 8<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:</P><P>Phase: 9<BR />Type: FLOW-CREATION<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 311, packet dispatched to next module</P><P>Phase: 10<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 172.16.10.10 using egress ifc INSIDE-1</P><P>Phase: 11<BR />Type: ADJACENCY-LOOKUP<BR />Subtype: next-hop and adjacency<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />adjacency Active<BR />next-hop mac address b827.eb3a.797f hits 3 reference 1</P><P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: INSIDE-1<BR />output-status: up<BR />output-line-status: up<BR />Action: allow</P><P>&nbsp;</P> Thu, 28 Sep 2023 19:33:38 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931215#M1104675 bpierce1046 2023-09-28T19:33:38Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931220#M1104676 <P>Check below note</P> <P>You push&nbsp;<SPAN>dns-server value 8.8.8.8 to anyconnect and you use tunnel all this why thr http/https is not work in real.</SPAN></P> <P><SPAN>Use same packet tracer but instead use 8.8.8.8 as destiantion and check if it sucess or failed.</SPAN></P> <P><SPAN>I sure it fialed you need to push internal dns server to anyconnect or use U-turn nat for anyconnect to connect to google dns server&nbsp;</SPAN></P> Thu, 28 Sep 2023 19:42:11 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931220#M1104676 MHM Cisco World 2023-09-28T19:42:11Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931221#M1104677 <P>Also when i try ICMP i get a failed.</P><P><BR />Result:<BR />input-interface: INSIDE-1<BR />input-status: up<BR />input-line-status: up<BR />output-interface: outside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (no-adjacency) No valid adjacency</P> Thu, 28 Sep 2023 19:42:33 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931221#M1104677 bpierce1046 2023-09-28T19:42:33Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931227#M1104678 <P>Can I see icmp packet tracer detail&nbsp;</P> Thu, 28 Sep 2023 19:47:56 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931227#M1104678 MHM Cisco World 2023-09-28T19:47:56Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931232#M1104679 <P>ciscoasa# packet-tracer input INSIDE-1 icmp 172.16.10.9 8 0 10.1.1.6 detailed</P><P>Phase: 1<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac2bbb030, priority=1, domain=permit, deny=false<BR />hits=2, user_data=0x0, cs_id=0x0, l3_type=0x8<BR />src mac=0000.0000.0000, mask=0000.0000.0000<BR />dst mac=0000.0000.0000, mask=0100.0000.0000<BR />input_ifc=INSIDE-1, output_ifc=any</P><P>Phase: 2<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />NAT divert to egress interface outside<BR />Untranslate 10.1.1.6/0 to 10.1.1.6/0</P><P>Phase: 3<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />Static translate 172.16.10.9/0 to 172.16.10.9/0<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaab9b8ebd0, priority=6, domain=nat, deny=false<BR />hits=0, user_data=0x2aaac3bdd610, cs_id=0x0, flags=0x0, protocol=0<BR />src ip/id=172.16.10.0, mask=255.255.255.0, port=0, tag=any<BR />dst ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0<BR />input_ifc=INSIDE-1, output_ifc=outside</P><P>Phase: 4<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac1a10280, priority=0, domain=nat-per-session, deny=true<BR />hits=565, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=any, output_ifc=any</P><P>Phase: 5<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac2f1b2d0, priority=0, domain=inspect-ip-options, deny=true<BR />hits=46, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=INSIDE-1, output_ifc=any</P><P>Phase: 6<BR />Type: INSPECT<BR />Subtype: np-inspect<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac2f30b00, priority=66, domain=inspect-icmp-error, deny=false<BR />hits=3, user_data=0x2aaac2c10c40, cs_id=0x0, use_real_addr, flags=0x0, protocol=1<BR />src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0<BR />input_ifc=INSIDE-1, output_ifc=any</P><P>Phase: 7<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />out id=0x2aaab9b8d6b0, priority=6, domain=nat-reverse, deny=false<BR />hits=1, user_data=0x2aaac161f740, cs_id=0x0, use_real_addr, flags=0x0, protocol=0<BR />src ip/id=172.16.10.0, mask=255.255.255.0, port=0, tag=any<BR />dst ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0<BR />input_ifc=INSIDE-1, output_ifc=outside</P><P>Phase: 8<BR />Type: FLOW-CREATION<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 609, packet dispatched to next module<BR />Module information for forward flow ...<BR />snp_fp_inspect_ip_options<BR />snp_fp_inspect_icmp<BR />snp_fp_translate<BR />snp_fp_adjacency<BR />snp_fp_fragment<BR />snp_fp_tracer_drop<BR />snp_ifc_stat</P><P>Module information for reverse flow ...</P><P>Phase: 9<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />NAT divert to egress interface outside<BR />Untranslate 10.1.1.6/0 to 10.1.1.6/0</P><P>Phase: 10<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />Static translate 172.16.10.9/0 to 172.16.10.9/0<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaab9b8ebd0, priority=6, domain=nat, deny=false<BR />hits=1, user_data=0x2aaac3bdd610, cs_id=0x0, flags=0x0, protocol=0<BR />src ip/id=172.16.10.0, mask=255.255.255.0, port=0, tag=any<BR />dst ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0<BR />input_ifc=INSIDE-1, output_ifc=outside</P><P>Phase: 11<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac1a10280, priority=0, domain=nat-per-session, deny=true<BR />hits=566, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=any, output_ifc=any</P><P>Phase: 12<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac2f1b2d0, priority=0, domain=inspect-ip-options, deny=true<BR />hits=47, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=INSIDE-1, output_ifc=any</P><P>Phase: 13<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 10.10.0.1 using egress ifc outside</P><P>Result:<BR />input-interface: INSIDE-1<BR />input-status: up<BR />input-line-status: up<BR />output-interface: outside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (no-adjacency) No valid adjacency</P> Thu, 28 Sep 2023 20:00:01 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931232#M1104679 bpierce1046 2023-09-28T20:00:01Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931236#M1104680 <P><SPAN>ciscoasa# packet-tracer input outside&nbsp; icmp 10.1.1.6 8 0&nbsp; 172.16.10.9 detailed</SPAN></P> <P><SPAN>Do this way&nbsp;</SPAN></P> Thu, 28 Sep 2023 20:11:01 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931236#M1104680 MHM Cisco World 2023-09-28T20:11:01Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931239#M1104681 <P><BR />ciscoasa# packet-tracer input outside icmp 10.1.1.6 8 0 172.16.10.9 detailed</P><P>Phase: 1<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />NAT divert to egress interface INSIDE-1<BR />Untranslate 172.16.10.9/0 to 172.16.10.9/0</P><P>Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group OUTSIDE_to_IN in interface outside<BR />access-list OUTSIDE_to_IN extended permit ip object anyconnect-subnet any<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaab9b89a30, priority=13, domain=permit, deny=false<BR />hits=3, user_data=0x2aaabbe600c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0<BR />src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Phase: 3<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />Static translate 10.1.1.6/0 to 10.1.1.6/0<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaab9b8bd00, priority=6, domain=nat, deny=false<BR />hits=112, user_data=0x2aaac161f740, cs_id=0x0, flags=0x0, protocol=0<BR />src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any<BR />dst ip/id=172.16.10.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=INSIDE-1</P><P>Phase: 4<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac1a10280, priority=0, domain=nat-per-session, deny=true<BR />hits=827, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=any, output_ifc=any</P><P>Phase: 5<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac2c2e8b0, priority=0, domain=inspect-ip-options, deny=true<BR />hits=1829, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Phase: 6<BR />Type: INSPECT<BR />Subtype: np-inspect<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac2c2e3c0, priority=66, domain=inspect-icmp-error, deny=false<BR />hits=7, user_data=0x2aaac2c2e070, cs_id=0x0, use_real_addr, flags=0x0, protocol=1<BR />src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Phase: 7<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />out id=0x2aaab9b8e4f0, priority=6, domain=nat-reverse, deny=false<BR />hits=113, user_data=0x2aaac3bdd610, cs_id=0x0, use_real_addr, flags=0x0, protocol=0<BR />src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any<BR />dst ip/id=172.16.10.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=INSIDE-1</P><P>Phase: 8<BR />Type: FLOW-CREATION<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />New flow created with id 992, packet dispatched to next module<BR />Module information for forward flow ...<BR />snp_fp_inspect_ip_options<BR />snp_fp_inspect_icmp<BR />snp_fp_translate<BR />snp_fp_adjacency<BR />snp_fp_fragment<BR />snp_fp_tracer_drop<BR />snp_ifc_stat</P><P>Module information for reverse flow ...</P><P>Phase: 9<BR />Type: UN-NAT<BR />Subtype: static<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />NAT divert to egress interface INSIDE-1<BR />Untranslate 172.16.10.9/0 to 172.16.10.9/0</P><P>Phase: 10<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group OUTSIDE_to_IN in interface outside<BR />access-list OUTSIDE_to_IN extended permit ip object anyconnect-subnet any<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaab9b89a30, priority=13, domain=permit, deny=false<BR />hits=4, user_data=0x2aaabbe600c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0<BR />src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Phase: 11<BR />Type: NAT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet<BR />Additional Information:<BR />Static translate 10.1.1.6/0 to 10.1.1.6/0<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaab9b8bd00, priority=6, domain=nat, deny=false<BR />hits=113, user_data=0x2aaac161f740, cs_id=0x0, flags=0x0, protocol=0<BR />src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any<BR />dst ip/id=172.16.10.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=INSIDE-1</P><P>Phase: 12<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac1a10280, priority=0, domain=nat-per-session, deny=true<BR />hits=828, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=any, output_ifc=any</P><P>Phase: 13<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Forward Flow based lookup yields rule:<BR />in id=0x2aaac2c2e8b0, priority=0, domain=inspect-ip-options, deny=true<BR />hits=1830, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0<BR />src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any<BR />dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0<BR />input_ifc=outside, output_ifc=any</P><P>Phase: 14<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 172.16.10.9 using egress ifc INSIDE-1</P><P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: INSIDE-1<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (no-adjacency) No valid adjacency</P> Thu, 28 Sep 2023 20:13:17 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931239#M1104681 bpierce1046 2023-09-28T20:13:17Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931251#M1104682 <P><SPAN>ciscoasa# packet-tracer input outside icmp 10.1.1.6 8 0 <STRONG>172.16.10.10</STRONG> detailed</SPAN></P> <P><SPAN>No adj is appear if the asa dobt have arp entry for this IP' so change it to .10 and check.</SPAN></P> <P><SPAN>I am sure it will success but traffic to dns server will failed.</SPAN></P> <P><SPAN>Check to more more sure&nbsp;</SPAN></P> Thu, 28 Sep 2023 20:36:06 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931251#M1104682 MHM Cisco World 2023-09-28T20:36:06Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931254#M1104683 <P>that worked but it still doesn't work from the client.&nbsp;</P><P>Also, for the internal web-server at 172.16.10.10. Since it cant get to the dns server could that be why the packet is being dropped. That i need to do:</P><PRE>nat (inside,outside) source static 10.1.1.5 172.16.10.10 dns ! policy-map global_policy class inspection_default inspect dns</PRE> Thu, 28 Sep 2023 20:53:55 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931254#M1104683 bpierce1046 2023-09-28T20:53:55Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931255#M1104684 <P>Do you have any internal dns server ?</P> Thu, 28 Sep 2023 20:59:16 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931255#M1104684 MHM Cisco World 2023-09-28T20:59:16Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931291#M1104687 <P>I dont have an internal DNS.&nbsp;</P> Fri, 29 Sep 2023 00:10:47 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931291#M1104687 bpierce1046 2023-09-29T00:10:47Z https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931383#M1104690 <P>Can you access http server with IP not name ?</P> Fri, 29 Sep 2023 07:07:18 GMT https://community.cisco.com/t5/network-security/asa-config-issues/m-p/4931383#M1104690 MHM Cisco World 2023-09-29T07:07:18Z