Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
1
Replies

Blocked traffic flow..

rmaxson2
Level 1
Level 1

‎03-06-2008 08:13 AM - edited ‎03-11-2019 05:13 AM

I get the same results pinging in eiter direction through the VPN tunnel (tunnel is working fine) below is a trace and included is the config.

HO1ASA02# packet-trace input inside icmp 10.1.6.121 3 1 10.60.50.1

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 Outside

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.1.0.0 255.255.240.0 Inside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group Inside_access_in in interface Inside

access-list Inside_access_in extended permit ip object-group IT_DEPT any

object-group network IT_DEPT

description: IT IP Address Group 10.1.6.0/24

network-object 10.1.6.0 255.255.255.0

network-object host 10.1.7.166

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: IDS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat (Inside) 0 access-list nat0

nat-control

match ip Inside any Outside 10.60.50.0 255.255.255.0

NAT exempt

translate_hits = 6, untranslate_hits = 200

Additional Information:

Phase: 10

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip Inside any Outside any

dynamic translation to pool 1 (*.*.*.70)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 11

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (Inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip Inside any Outside any

dynamic translation to pool 1 (63.85.131.70)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 12

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Labels:
22214-Cyber-test
0 Helpful
1 Reply 1

brettmilborrow
Level 1
Level 1

‎03-06-2008 08:30 AM

Your routing is not configured correctly:

Result:

input-interface: Inside

output-interface: Inside

Check that you have reverse-route configured on your crypto map entry, or manually add the routes your firewall.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card