06-19-2023 08:16 AM
Hello.
I want to do a test in ASA packet tracer for traffic that is routed to a L2L VPN configured on the firewall, when i do the packet-tracer the traffic is being dropped on Phase 6 which is type: VPN subtype: encrypt. my guess is because the firewall is not yet connected to the Internet and the VPN has not been established yet. Is there a way i can test this type of traffic without having the VPN being established first?
below is my packet-tracer output:
NBS-BT-INTERNET-ASA5525# packet-tracer input INSIDE tcp 10.40.23.4 1234 192.16$
WARNING: 5 sec waittime expire start 2252064, end 2252065,flags 0, trace 0x0000000000411315/0x0000000000411315
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source dynamic NBS_INTERNAL obj-10.0.21.243 destination static SWIFT_SUBNET SWIFT_SUBNET
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 192.169.34.12/443 to 192.169.34.12/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_access_in in interface INSIDE
access-list INSIDE_access_in extended permit ip any host 196.213.205.250
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f5cdc780220, priority=13, domain=permit, deny=false
hits=8, user_data=0x7f5cd13c0c00, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=10.40.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=192.169.34.0, mask=255.255.255.0, port=443, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source dynamic NBS_INTERNAL obj-10.0.21.243 destination static SWIFT_SUBNET SWIFT_SUBNET
Additional Information:
Dynamic translate 10.40.23.4/1234 to 10.0.21.243/1234
Forward Flow based lookup yields rule:
in id=0x7f5cdc5ce340, priority=6, domain=nat, deny=false
hits=283, user_data=0x7f5cde91d890, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.40.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=192.169.34.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=OUTSIDE
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f5cdb5891a0, priority=0, domain=nat-per-session, deny=false
hits=425937, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f5cdc3d1ba0, priority=0, domain=inspect-ip-options, deny=true
hits=461278, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=any
Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f5cdec798a0, priority=70, domain=encrypt, deny=false
hits=289, user_data=0x0, cs_id=0x7f5cdec74b10, reverse, flags=0x0, protocol=0
src ip/id=10.0.21.240, mask=255.255.255.240, port=0, tag=any
dst ip/id=192.169.34.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=OUTSIDE
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056223c99ccb9 flow (NA)/NA
Solved! Go to Solution.
06-20-2023 06:16 AM
At that point I don't believe there will be a way to test this with packet tracer.
06-19-2023 10:26 AM
Replace <access-list-name> with the name of your access list, <source> with the source IP range, and <destination> with the destination IP range. This modification will allow the traffic to bypass the VPN phase.
access-list <access-list-name> extended permit ip <source> <destination>
Rerun the packet-tracer command to test the traffic again.
06-20-2023 05:35 AM
I have this ACL defined already
06-19-2023 01:50 PM
you must do packet tracer for VPN s2s twice to work
Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f5cdec798a0, priority=70, domain=encrypt, deny=false
hits=289, user_data=0x0, cs_id=0x7f5cdec74b10, reverse, flags=0x0, protocol=0
src ip/id=10.0.21.240, mask=255.255.255.240, port=0, tag=any
dst ip/id=192.169.34.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=OUTSIDE
the user_data is import to know which VPN this traffic hit . it is SPI of crypto IPSec
06-19-2023 07:54 PM
It's like @MHM Cisco World said. Similar to when you ping a previously unknown host and the first ping fails since the arp cache is empty for that host.
06-20-2023 05:37 AM
But the problem here is that the firewall is not connected to the Internet as of now so the VPN will not come up.
06-20-2023 05:42 AM - edited 06-20-2023 05:59 AM
What you want to get from this packet tracer?
06-20-2023 06:16 AM
At that point I don't believe there will be a way to test this with packet tracer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide