03-30-2016 02:18 PM - edited 03-12-2019 12:33 AM
Hi,
ACL is configured.
Below is result of packet tracer
packet-tracer input outside udp 172.24.93.24 1024 192.168.80.1 4223
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (10.61.31.22)
translate_hits = 57990, untranslate_hits = 972
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Regards
MAhesh
Solved! Go to Solution.
03-31-2016 06:13 PM
what does destination of 10.61.x.x in your NAT 0 have to do with this traffic you are testing:
packet-tracer input outside udp 172.24.93.24 1024 192.168.80.1 4223
a valid NAT 0 for this traffic would have 192.168.80.1 as the destination
03-31-2016 06:16 PM
Hi Mahesh,
Can you please create additional entry in the nat 0
access-list name extended permit
access-list name extended permit
Please test and let me know how it fares.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-31-2016 04:52 PM
I don't know your setup, however it appears this is VPN traffic, and you would usually not want to nat vpn traffic. I would suggest creating a "NAT 0" statement for your VPN traffic and try again.
03-31-2016 05:51 PM
yes it is vpn traffic and we have nat 0 acl.
nat 0 acl has source as any and destination is 10.61.x.x
Regards
MAhesh
03-31-2016 06:13 PM
what does destination of 10.61.x.x in your NAT 0 have to do with this traffic you are testing:
packet-tracer input outside udp 172.24.93.24 1024 192.168.80.1 4223
a valid NAT 0 for this traffic would have 192.168.80.1 as the destination
03-31-2016 06:16 PM
Hi Mahesh,
Can you please create additional entry in the nat 0
access-list name extended permit
access-list name extended permit
Please test and let me know how it fares.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide