https://community.cisco.com/t5/network-security/packet-tracer-vs-site-to-site-tunnel-from-outside/m-p/1650750#M592255 <HTML><HEAD></HEAD><BODY><P>your situation is normal. I tried the same packet tracer using our site to site VPN and I get the same result.</P><P>This is what I get:</P><P></P><P></P><P>ASA-1(config)# packet-tracer input outside icmp 192.168.70.10 8 0 172.16.12$</P><P></P><P>Phase: 1</P><P>Type: FLOW-LOOKUP</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>Found no matching flow, creating a new flow</P><P></P><P>Phase: 2</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 172.16.128.0&nbsp;&nbsp;&nbsp; 255.255.240.0&nbsp;&nbsp; inside</P><P></P><P>Phase: 3</P><P>Type: ACCESS-LIST</P><P>Subtype: </P><P>Result: DROP</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xc6464cc8, priority=0, domain=permit, deny=true</P><P><SPAN> </SPAN>hits=22753, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0</P><P><SPAN> </SPAN>src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P><SPAN> </SPAN>dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P>Result:</P><P>input-interface: outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: inside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P><P></P><P>The interface ACL is the one dropping it. It seems that the sysopt connection permit-vpn doesn't work with the packet tracer</P><DIV> </DIV><P></P></BODY></HTML> Tue, 08 Feb 2011 19:51:37 GMT PAUL GILBERT ARIAS 2011-02-08T19:51:37Z https://community.cisco.com/t5/network-security/packet-tracer-vs-site-to-site-tunnel-from-outside/m-p/1650749#M592252 <P>Hi,</P><P></P><P>Packet tracer works great verifying my site-to-site ipsec tunnel from inside, but when I run it from outside and give it an ip address that would have been classified as interesting on the peer device, it fails.</P><P></P><P>This would not be return traffic, but initiating traffic from the peer site.</P><P></P><P>I'm assuming this is because packet tracer has no way of simulating a packet arriving on the outside interface is already in the tunnel and enrcypted, as the trace did not show any vpn stages.</P><P></P><P>Packets arriving from the lab setup across the tunnel are allowed, just not the packet tracer.</P><P></P><P>Appreciate any input. Don't always have the benefit of a lab setup to verify.</P> Mon, 11 Mar 2019 19:47:05 GMT https://community.cisco.com/t5/network-security/packet-tracer-vs-site-to-site-tunnel-from-outside/m-p/1650749#M592252 lcaruso 2019-03-11T19:47:05Z https://community.cisco.com/t5/network-security/packet-tracer-vs-site-to-site-tunnel-from-outside/m-p/1650750#M592255 <HTML><HEAD></HEAD><BODY><P>your situation is normal. I tried the same packet tracer using our site to site VPN and I get the same result.</P><P>This is what I get:</P><P></P><P></P><P>ASA-1(config)# packet-tracer input outside icmp 192.168.70.10 8 0 172.16.12$</P><P></P><P>Phase: 1</P><P>Type: FLOW-LOOKUP</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>Found no matching flow, creating a new flow</P><P></P><P>Phase: 2</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 172.16.128.0&nbsp;&nbsp;&nbsp; 255.255.240.0&nbsp;&nbsp; inside</P><P></P><P>Phase: 3</P><P>Type: ACCESS-LIST</P><P>Subtype: </P><P>Result: DROP</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xc6464cc8, priority=0, domain=permit, deny=true</P><P><SPAN> </SPAN>hits=22753, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0</P><P><SPAN> </SPAN>src ip=0.0.0.0, mask=0.0.0.0, port=0</P><P><SPAN> </SPAN>dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0</P><P></P><P>Result:</P><P>input-interface: outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: inside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P><P></P><P>The interface ACL is the one dropping it. It seems that the sysopt connection permit-vpn doesn't work with the packet tracer</P><DIV> </DIV><P></P></BODY></HTML> Tue, 08 Feb 2011 19:51:37 GMT https://community.cisco.com/t5/network-security/packet-tracer-vs-site-to-site-tunnel-from-outside/m-p/1650750#M592255 PAUL GILBERT ARIAS 2011-02-08T19:51:37Z https://community.cisco.com/t5/network-security/packet-tracer-vs-site-to-site-tunnel-from-outside/m-p/1650751#M592256 <HTML><HEAD></HEAD><BODY><P>Your only option there is to capture the encrypted packets in a capture with the "trace" option.&nbsp; Then you can do "show capture <NAME> packet-number &lt;#&gt; trace" to feed that packet through packet-tracer and it will make it past the vpn-decrypt section.</NAME></P><P></P><P>Still not very helpful unless you don't have much traffic over the VPN.&nbsp; There's no way to know if the encapsulated traffic is what you were hoping to get.</P><P></P><P>HTH,</P><P>-jb</P></BODY></HTML> Wed, 09 Feb 2011 01:07:11 GMT https://community.cisco.com/t5/network-security/packet-tracer-vs-site-to-site-tunnel-from-outside/m-p/1650751#M592256 jubetz 2011-02-09T01:07:11Z https://community.cisco.com/t5/network-security/packet-tracer-vs-site-to-site-tunnel-from-outside/m-p/1650752#M592259 <HTML><HEAD></HEAD><BODY><P>that's a nifty idea--didn't know about that--thanks!</P></BODY></HTML> Wed, 09 Feb 2011 03:57:04 GMT https://community.cisco.com/t5/network-security/packet-tracer-vs-site-to-site-tunnel-from-outside/m-p/1650752#M592259 lcaruso 2011-02-09T03:57:04Z