ASA Config Issues

bpierce1046 · ‎09-28-2023

I am having issues with my ASA not transferring traffic from VPN subnet to internal subnet. VPN is 10.1.1.0/24 subnet and internal is 172.16.10.0/24 subnet.

: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.9(2)61
!
hostname ciscoasa
enable password xxx xxx
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
no failover
no monitor-interface inside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8d4178d35b9e92dae51bd1cbacee04e4
: end

Rob Ingram · ‎09-28-2023

@bpierce1046 is that your full configuration?....it does not have any VPN configuration.

You'll probably need a NAT exemption rule to ensure the traffic between the networks is not unintentially translated, example:-

nat (inside,outside) source static LAN-NET LAN-NET destination static VPN-NET VPN-NET

Create an object LAN-NET to reflect your internal network and another object VPN-NET to reflect the VPN network and then just replace "inside" with your actually internal interface name.

MHM Cisco World · ‎09-28-2023

This not complete config share vpn config.

bpierce1046 · ‎09-28-2023

actual config.

:
ASA Version 9.9(2)61
!
hostname ciscoasa
enable password X.X.X
names
ip local pool anyconnect-subnet 10.1.1.5-10.1.1.250 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.10.20.33 255.255.0.0
!
interface GigabitEthernet1/2
nameif INSIDE-1
security-level 100
ip address 172.16.10.1 255.255.255.0
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network anyconnect-subnet
subnet 10.1.1.0 255.255.255.0
access-list OUTSIDE_to_IN extended permit ip object anyconnect-subnet any
pager lines 24
logging asdm informational
mtu outside 1500
mtu INSIDE-1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
no failover
no monitor-interface inside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
object network anyconnect-subnet
nat (outside,outside) dynamic interface
access-group OUTSIDE_to_IN in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authorization exec LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-linux64-4.10.05095-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy ANYCONNECT-GROUP-POLICY internal
group-policy ANYCONNECT-GROUP-POLICY attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
default-domain value packet.lan
dynamic-access-policy-record DfltAccessPolicy
username user1 password X.X.X
username user1 attributes
service-type remote-access
tunnel-group ANYCONNECT-TUNNEL-GROUP type remote-access
tunnel-group ANYCONNECT-TUNNEL-GROUP general-attributes
address-pool anyconnect-subnet
default-group-policy ANYCONNECT-GROUP-POLICY
tunnel-group ANYCONNECT-TUNNEL-GROUP webvpn-attributes
group-alias Packetswitch-VPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a75562b09bc9aa9380f81583fb10044e
: end

MHM Cisco World · ‎09-28-2023

Where is the config of anyconnect pool ?

I see only object not pool' so I think the vpn not get IP

bpierce1046 · ‎09-28-2023

When connected it seems to get an internal IP.

Rob Ingram · ‎09-28-2023

@bpierce1046 as stated in my previous message above, configure NAT exemption to ensure the traffic between the internal network and vpn pool is not unintentially translated by your other auto NAT rules.

If that does not work, run packet-tracer from the CLI to simulate the traffic flow and provide the output for review.

bpierce1046 · ‎09-28-2023

The packet tracer allows but you can see it doesn't from the VPN client. it allows http and https through.

ciscoasa(config)# packet-tracer input OUTSIDE tcp 10.1.1.6 80 172.16.10.10 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet
Additional Information:
NAT divert to egress interface INSIDE-1
Untranslate 172.16.10.10/80 to 172.16.10.10/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_to_IN in interface outside
access-list OUTSIDE_to_IN extended permit ip object anyconnect-subnet any
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet
Additional Information:
Static translate 10.1.1.6/80 to 10.1.1.6/80

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 304, packet dispatched to next module

Phase: 11
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.10.10 using egress ifc INSIDE-1

Phase: 12
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address b827.eb3a.797f hits 2 reference 1

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: INSIDE-1
output-status: up
output-line-status: up
Action: allow

ciscoasa(config)# packet-tracer input OUTSIDE tcp 10.1.1.6 443 172.16.10.10 443

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet
Additional Information:
NAT divert to egress interface INSIDE-1
Untranslate 172.16.10.10/443 to 172.16.10.10/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_to_IN in interface outside
access-list OUTSIDE_to_IN extended permit ip object anyconnect-subnet any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet
Additional Information:
Static translate 10.1.1.6/443 to 10.1.1.6/443

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 311, packet dispatched to next module

Phase: 10
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.10.10 using egress ifc INSIDE-1

Phase: 11
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address b827.eb3a.797f hits 3 reference 1

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: INSIDE-1
output-status: up
output-line-status: up
Action: allow

MHM Cisco World · ‎09-28-2023

Check below note

You push dns-server value 8.8.8.8 to anyconnect and you use tunnel all this why thr http/https is not work in real.

Use same packet tracer but instead use 8.8.8.8 as destiantion and check if it sucess or failed.

I sure it fialed you need to push internal dns server to anyconnect or use U-turn nat for anyconnect to connect to google dns server

bpierce1046 · ‎09-28-2023

Also when i try ICMP i get a failed.

Result:
input-interface: INSIDE-1
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency

MHM Cisco World · ‎09-28-2023

Can I see icmp packet tracer detail

bpierce1046 · ‎09-28-2023

ciscoasa# packet-tracer input INSIDE-1 icmp 172.16.10.9 8 0 10.1.1.6 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac2bbb030, priority=1, domain=permit, deny=false
hits=2, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=INSIDE-1, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet
Additional Information:
NAT divert to egress interface outside
Untranslate 10.1.1.6/0 to 10.1.1.6/0

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet
Additional Information:
Static translate 172.16.10.9/0 to 172.16.10.9/0
Forward Flow based lookup yields rule:
in id=0x2aaab9b8ebd0, priority=6, domain=nat, deny=false
hits=0, user_data=0x2aaac3bdd610, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.16.10.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE-1, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac1a10280, priority=0, domain=nat-per-session, deny=true
hits=565, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac2f1b2d0, priority=0, domain=inspect-ip-options, deny=true
hits=46, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE-1, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac2f30b00, priority=66, domain=inspect-icmp-error, deny=false
hits=3, user_data=0x2aaac2c10c40, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=INSIDE-1, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaab9b8d6b0, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0x2aaac161f740, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.16.10.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE-1, output_ifc=outside

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 609, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...

Phase: 9
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet
Additional Information:
NAT divert to egress interface outside
Untranslate 10.1.1.6/0 to 10.1.1.6/0

Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet
Additional Information:
Static translate 172.16.10.9/0 to 172.16.10.9/0
Forward Flow based lookup yields rule:
in id=0x2aaab9b8ebd0, priority=6, domain=nat, deny=false
hits=1, user_data=0x2aaac3bdd610, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.16.10.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE-1, output_ifc=outside

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac1a10280, priority=0, domain=nat-per-session, deny=true
hits=566, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac2f1b2d0, priority=0, domain=inspect-ip-options, deny=true
hits=47, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE-1, output_ifc=any

Phase: 13
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.0.1 using egress ifc outside

Result:
input-interface: INSIDE-1
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency

MHM Cisco World · ‎09-28-2023

ciscoasa# packet-tracer input outside icmp 10.1.1.6 8 0 172.16.10.9 detailed

Do this way

bpierce1046 · ‎09-28-2023

ciscoasa# packet-tracer input outside icmp 10.1.1.6 8 0 172.16.10.9 detailed

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet
Additional Information:
NAT divert to egress interface INSIDE-1
Untranslate 172.16.10.9/0 to 172.16.10.9/0

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_to_IN in interface outside
access-list OUTSIDE_to_IN extended permit ip object anyconnect-subnet any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaab9b89a30, priority=13, domain=permit, deny=false
hits=3, user_data=0x2aaabbe600c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet
Additional Information:
Static translate 10.1.1.6/0 to 10.1.1.6/0
Forward Flow based lookup yields rule:
in id=0x2aaab9b8bd00, priority=6, domain=nat, deny=false
hits=112, user_data=0x2aaac161f740, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=172.16.10.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=INSIDE-1

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac1a10280, priority=0, domain=nat-per-session, deny=true
hits=827, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac2c2e8b0, priority=0, domain=inspect-ip-options, deny=true
hits=1829, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac2c2e3c0, priority=66, domain=inspect-icmp-error, deny=false
hits=7, user_data=0x2aaac2c2e070, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaab9b8e4f0, priority=6, domain=nat-reverse, deny=false
hits=113, user_data=0x2aaac3bdd610, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=172.16.10.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=INSIDE-1

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 992, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...

Phase: 9
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet
Additional Information:
NAT divert to egress interface INSIDE-1
Untranslate 172.16.10.9/0 to 172.16.10.9/0

Phase: 10
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_to_IN in interface outside
access-list OUTSIDE_to_IN extended permit ip object anyconnect-subnet any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaab9b89a30, priority=13, domain=permit, deny=false
hits=4, user_data=0x2aaabbe600c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 11
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE-1,outside) source static LAN-NET LAN-NET destination static anyconnect-subnet anyconnect-subnet
Additional Information:
Static translate 10.1.1.6/0 to 10.1.1.6/0
Forward Flow based lookup yields rule:
in id=0x2aaab9b8bd00, priority=6, domain=nat, deny=false
hits=113, user_data=0x2aaac161f740, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=172.16.10.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=INSIDE-1

Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac1a10280, priority=0, domain=nat-per-session, deny=true
hits=828, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac2c2e8b0, priority=0, domain=inspect-ip-options, deny=true
hits=1830, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 14
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.10.9 using egress ifc INSIDE-1

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: INSIDE-1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency

MHM Cisco World · ‎09-28-2023

ciscoasa# packet-tracer input outside icmp 10.1.1.6 8 0 172.16.10.10 detailed

No adj is appear if the asa dobt have arp entry for this IP' so change it to .10 and check.

I am sure it will success but traffic to dns server will failed.

Check to more more sure