- Cisco Community
- Technology and Support
- Security
- Network Security
- Re: ASA ACL Blocking
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA ACL Blocking
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-28-2021 06:56 AM
Hi Cisco Community,
I am hoping someone can help me out. Myself and another Engineer have run multiple tests on the ASA and have come up empty.
We have an ACL that allows traffic between two servers on two different networks. When we attempt to pass traffic between the two the ASA shows deny by access group "Access Group X" in the live log file.
The Packet tracer done on the ASA CLI shows allow. Either this is a bug or an issue with the configuration, I cant seem to spot it.
When we look at the ACL rules it does not show any blocks between the two but allowed.
Thanks,
E
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-28-2021 12:09 PM
Probably you are running packet tracer incorrectly as you do see it getting blocked in the syslogs.
We can help but I will need more details in terms of IPs and interfaces, or the packet tracer output, you can chose to put fake IPs as long as you can correlate them back and forth while we try to figure this out.
Regards,
Chakshu
Do rate helpful posts !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-30-2021 05:23 AM - edited 09-30-2021 05:26 AM
Hi Shakshu,
Please forgive me if I miss anything. Thank you for your help. Please see below a description of the interfaces and the Packet tracer I am running. If you have any suggestions to try, please let me know.
Interface Inside 10.10.10.1
Interface Server_DMZ 84.1.1.1
ACL
- Inside Interafce
- Allow Source 10.10.10.1 Destination 84.1.1.1
- Allow Source 84.1.1.1 Destination 10.10.10.1
ACL
Server_DMZ
- Allow Source 10.10.10.1 Destination 84.1.1.1
- Allow Source 84.1.1.1 Destination 10.10.10.1
NAT Rules
Inside Interface
- Original Packet Source 84.1.1.1 Destination 10.10.10.1 Translated Packet Source 10.20.20.1 Destination Original
Server_DMZ Interface
- Original Packet Source 10.10.10.1 Destination 10.20.20.1 Translated Packet Source Original Destination 84.1.1.1
pri/act/Firewall01# packet-tracer input Server_DMZ icmp 10.10.10.1 8 0 84.1.1.1 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff67a220ab0, priority=1, domain=permit, deny=false
hits=3179191418, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Server_DMZ, output_ifc=any
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Server_DMZ,Inside) source static SWPE.10.10.10.1 SWPE.10.10.10.1 destination static Netmon.84.1.1.1 Netmon.84.1.1.1 no-proxy-arp
Additional Information:
NAT divert to egress interface Inside
Untranslate 84.1.1.1/0 to 84.1.1.1/0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Server_DMZ_access_in in interface Server_DMZ
access-list Server_DMZ_access_in extended permit object-group ICMP_ALL any any
object-group service ICMP_ALL
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp traceroute
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff6843ead10, priority=13, domain=permit, deny=false
hits=3480, user_data=0x7ff683f62cc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=8, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=Server_DMZ, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Server_DMZ,Inside) source static SWPE.10.10.10.1 SWPE.10.10.10.1 destination static Netmon.84.1.1.1 Netmon.84.1.1.1 no-proxy-arp
Additional Information:
Static translate 10.10.10.1/0 to 10.10.10.1/0
Forward Flow based lookup yields rule:
in id=0x7ff692a096d0, priority=6, domain=nat, deny=false
hits=0, user_data=0x7ff690e626d0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.10.10.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=84.1.1.1, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=Server_DMZ, output_ifc=Inside
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff675f108a0, priority=0, domain=nat-per-session, deny=true
hits=157548756, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff67a269f00, priority=0, domain=inspect-ip-options, deny=true
hits=21032813, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Server_DMZ, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff679feb740, priority=70, domain=inspect-icmp, deny=false
hits=27418, user_data=0x7ff6811a10b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=Server_DMZ, output_ifc=any
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff67a269320, priority=66, domain=inspect-icmp-error, deny=false
hits=27503, user_data=0x7ff677e15ee0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=Server_DMZ, output_ifc=any
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,Server_DMZ) source static Netmon.84.1.1.1 netmon.nat.10.20.20.1 destination static SWPE.10.10.10.1 SWPE.10.10.10.1
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ff68dd52a90, priority=6, domain=nat-reverse, deny=false
hits=160, user_data=0x7ff690ef3e90, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.10.10.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=84.1.1.1, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=Server_DMZ, output_ifc=Inside
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ff679ff3090, priority=0, domain=user-statistics, deny=false
hits=137093061, user_data=0x7ff67a22cce0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=Inside
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ff675f108a0, priority=0, domain=nat-per-session, deny=true
hits=157548758, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ff677fba9f0, priority=0, domain=inspect-ip-options, deny=true
hits=141092909, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7ff679ffd530, priority=0, domain=user-statistics, deny=false
hits=20904776, user_data=0x7ff67a22cce0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=Server_DMZ
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 146242950, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 15
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 84.1.1.1using egress ifc Inside
Phase: 16
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 000c.29a9.a8e7 hits 12 reference 56
Result:
input-interface: Server_DMZ
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-30-2021 06:01 AM
"packet-tracer input Server_DMZ icmp 10.10.10.1 8 0 84.1.1.1 detailed"
Shouldn't you be running "packet-tracer input Inside icmp 10.10.10.1 8 0 84.1.1.1 detailed" instead?
You need to have the source interface mentioned while running the packet tracer.
Syntax:
packet-tracer input $source-interface $traffic-type $src_address $src_proto $src_proto_options $dest_address
Regards,
Chakshu
Do rate helpful posts!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-30-2021 06:12 AM
Hi Chakshu,
Here is the updated packet tracer.
pri/act/Firewall01# packet-tracer input Inside icmp 84.1.1.1 8 0 10.10.10.1detailed
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,Server_DMZ) source static Netmon.84.1.1.1 netmon.nat.10.215.24.253 destination static SWPE.10.10.10.1 SWPE.10.10.10.1
Additional Information:
NAT divert to egress interface Server_DMZ
Untranslate 10.10.10.1/0 to 10.10.10.1/0
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in remark Solarwinds access to City Solarwinds
access-list Inside_access_in extended permit ip object Netmon.84.1.1.1 object-group DM_INLINE_NETWORK_17
object-group network DM_INLINE_NETWORK_17
network-object object SWPE.10.10.10.1
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff67b921300, priority=13, domain=permit, deny=false
hits=13725, user_data=0x7ff66976be40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=84.1.1.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=10.10.10.1, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Server_DMZ) source static Netmon.84.1.1.1 netmon.nat.10.20.20.1 destination static SWPE.10.10.10.1 SWPE.10.10.10.1
Additional Information:
Static translate 84.1.1.1/0 to 10.215.24.253/0
Forward Flow based lookup yields rule:
in id=0x7ff68fd15660, priority=6, domain=nat, deny=false
hits=4143, user_data=0x7ff690ef3e90, cs_id=0x0, flags=0x0, protocol=0
src ip/id=84.1.1.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=10.10.10.1, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=Server_DMZ
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff675f108a0, priority=0, domain=nat-per-session, deny=true
hits=163031172, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff677fba9f0, priority=0, domain=inspect-ip-options, deny=true
hits=144998048, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff679fb6690, priority=70, domain=inspect-icmp, deny=false
hits=44285613, user_data=0x7ff6811a10b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff677fb9f30, priority=66, domain=inspect-icmp-error, deny=false
hits=47845073, user_data=0x7ff677a24f00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff684495020, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=127565923, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,Server_DMZ) source static Netmon.84.1.1.1 netmon.nat.10.20.20.1 destination static SWPE.10.10.10.1 SWPE.10.10.10.1
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ff69353b260, priority=6, domain=nat-reverse, deny=false
hits=4144, user_data=0x7ff68ca6fce0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=84.1.1.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=10.10.10.1, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=Server_DMZ
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ff679ffd530, priority=0, domain=user-statistics, deny=false
hits=21586066, user_data=0x7ff67a22cce0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=Server_DMZ
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ff675f108a0, priority=0, domain=nat-per-session, deny=true
hits=163031174, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ff67a269f00, priority=0, domain=inspect-ip-options, deny=true
hits=21716516, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Server_DMZ, output_ifc=any
Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7ff679ff3090, priority=0, domain=user-statistics, deny=false
hits=140998137, user_data=0x7ff67a22cce0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=Inside
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 150244888, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 15
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.215.24.3 using egress ifc Server_DMZ
Phase: 16
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address b40c.25ef.0014 hits 1004 reference 54
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Server_DMZ
output-status: up
output-line-status: up
Action: allow
pri/act/Firewall01#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-30-2021 06:33 AM
You have ran:
packet-tracer input Inside icmp 84.1.1.1 8 0 10.10.10.1 detailed
I want the output of
packet-tracer input Inside icmp 10.10.10.1 8 0 84.1.1.1 detailed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-30-2021 06:47 AM
Hi Chakshu,
Here is the updated packet-tracer.
Firewall01# packet-tracer input Inside icmp 10.10.10.1 8 0 84.1.1.1 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 84.1.1.1 using egress ifc Inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit ip object SWPE.10.10.10.1 object Netmon.84.1.1.1
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff6855b40f0, priority=13, domain=permit, deny=false
hits=0, user_data=0x7ff68502f580, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.10.10.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=84.1.1.1, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff675f108a0, priority=0, domain=nat-per-session, deny=true
hits=163123750, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff677fba9f0, priority=0, domain=inspect-ip-options, deny=true
hits=145069087, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff679fb6690, priority=70, domain=inspect-icmp, deny=false
hits=44310731, user_data=0x7ff6811a10b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff677fb9f30, priority=66, domain=inspect-icmp-error, deny=false
hits=47870595, user_data=0x7ff677a24f00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ff684495020, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=127633002, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ff679ff3090, priority=0, domain=user-statistics, deny=false
hits=141070737, user_data=0x7ff67a22cce0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=Inside
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ff675f108a0, priority=0, domain=nat-per-session, deny=true
hits=163123752, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ff677fba9f0, priority=0, domain=inspect-ip-options, deny=true
hits=145069089, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7ff679ff3090, priority=0, domain=user-statistics, deny=false
hits=141070738, user_data=0x7ff67a22cce0, cs_id=0x0, reverse, flags=0x0,protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=Inside
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 150319849, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Phase: 13
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 84.1.1.1 using egress ifc Inside
Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 000c.29a9.a8e7 hits 102 reference 24
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-30-2021 11:00 AM
Are
Interface Inside 10.10.10.1
Interface Server_DMZ 84.1.1.1
the interface IPs? Because you are actually supposed to put the src and dst IPs as packet tracer will then show "through" the box trace output.
One more thing I would check would be routing as packet ingressed from inside is going towards inside, which should not be the case as per your requirement.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-30-2021 12:31 PM
Hi Chakshu,
Those are not the interfaces, they are just the two endpoints.
Is there a specific route you would like me to look at?
The Static Routes we have should route between the two networks.
Thanks,
E
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-28-2021 12:40 PM
Is it that traffic is passing successfully but you are seeing drop logs or is the traffic actually being dropped / not allowed? Could you post the actual log you are seeing (screenshot). Post the full output of your packet-tracer including the command you are running.
Also, a full running configuration (change any public IPs and remove usernames and passwords.
Please remember to select a correct answer and rate helpful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-30-2021 05:25 AM
Hi Marius,
I replied with the output of the packet tracer. I will upload the full running configuration once I sanitize it.
Thank you,
E
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-30-2021 06:51 AM
Hi Marius,
Here is the Output of Run, I have removed any unnecessary configuration.
Interface Server_DMZ 10.10.10.1
Interface Inside 84.1.1.1
!
interface GigabitEthernet0/1
description Inside
nameif Inside
security-level 100
ip address 84.1.1.212 255.0.0.0 standby 86.1.1.213
!
!
interface GigabitEthernet0/5
description Server_DMZ
nameif Server_DMZ
security-level 99
ip address 10.10.10.212 255.255.252.0 standby 10.10.10.213
!
!
object network Netmon.84.1.1.1
host 84.1.1.1
description Server
!
object network -SWPE.10.10.10.1
host 10.10.10.1
!
!
network-object object Netmon.84.1.1.1
!
network-object object Netmon.84.1.1.1
!
object-group network SERVERS
network-object object -SWPE.10.10.10.1
!
object-group network DM_INLINE_NETWORK_17
network-object object -SWPE.10.10.10.1
!
object-group network DM_INLINE_NETWORK_18
network-object object -SWPE.10.10.10.1
!
object-group network DM_INLINE_NETWORK_20
network-object object -SWPE.10.10.10.1
!
access-list Inside_access_in extended permit ip object Netmon.84.1.1.1 object-group DM_INLINE_NETWORK_17
!
access-list Inside_access_in extended permit ip object -SWPE.10.10.10.1 object Netmon.84.1.1.1
!
access-list Server_DMZ_access_in extended permit object 17777 object -SWPE.10.10.10.1 object-group DM_INLINE_NETWORK_1
!
access-list Server_DMZ_access_in extended permit object-group ICMP_ALL any any
access-list Server_DMZ_access_in extended permit object 17777 object Netmon.84.1.1.1 object -SWPE.10.10.10.1
!
nat (Inside,Server_DMZ) source static Netmon.84.1.1.1 Netmon.nat.10.20.20.1 destination static -SWPE.10.10.10.1 -SWPE.10.10.10.1
!
nat (Inside,Server_DMZ) source static Netmon.84.1.1.1 Netmon.nat.10.20.20.1 destination static DM_INLINE_NETWORK_18 DM_INLINE_NETWORK_18 no-proxy-arp inactive
!
nat (Server_DMZ,Inside) source static -SWPE.10.10.10.1 -SWPE.10.10.10.1 destination static Netmon.84.1.1.1 Netmon.84.1.1.1 no-proxy-arp
!
access-group Inside_access_in in interface Inside
!
access-group Server_DMZ_access_in in interface Server_DMZ
!
!
route Server_DMZ 10.10.10.1 255.255.255.255 10.215.24.1 1
!
http 84.1.1.1 255.255.255.255 Inside
!
!
telnet 84.1.1.1 255.255.255.255 Inside
!
ssh 84.1.1.1 255.255.255.255 Inside
!
!
: end
Thank you for your help,
E
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
