Hey all:

Not exactly my forte here. Just being up front that these ASA units are a challenge for me. I'm mainly a Cisco Switch guy.

Working to resolve an issue. I have a 5506 (REMOTE) connected via Site to Site VPN to a 5505 (CORP). The system was up for the past couple years. Recently, the device was reset by a third party vendor. I found an old backup of the device config and restored it. I'm not sure if this was the most recent TBH.

Anyways, the device comes up and is mainly working but for a printer issue:

I have a printer at the REMOTE site that I can ping from CORP, but cannot pull up the HTTP UI. The device works at the REMOTE SITE, no problem. A Packet-tracer from the CORP ASA shows that access is allowed. A packet-tracer from the REMOTE (5506) shows it's dropped. I do not understand why. It has an explicit ACL Allow (from any to 192.168.9.85 http). I have bolded the part of the packet-trace where it shows drop.

I'm pulling my hair out. I'm really looking for an IT Guru here to help me figure this one out. This is a key printer I need to get online today. HELP!

My running-config is attatched. Packet-trace below.

PACKET-TRACE Output

ciscoasa# packet-tracer input outside tcp 10.20.0.253 http 192.168.9.85 http

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.9.85 using egress ifc inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global_access in interface outside
access-list global_access remark ALLOW PRTR
access-list global_access extended permit tcp any host 192.168.9.85 eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fca600c0f40, priority=13, domain=permit, deny=false
hits=0, user_data=0x7fca58a0abc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=192.168.9.85, mask=255.255.255.255, port=80, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static LOCKPORT_LAN LOCKPORT_LAN destination static 1100MILITARY_LAN 1100MILITARY_LAN no-proxy-arp route-lookup
Additional Information:
Static translate 10.20.0.253/80 to 10.20.0.253/80
Forward Flow based lookup yields rule:
in id=0x7fca5f0b70f0, priority=6, domain=nat, deny=false
hits=22007, user_data=0x7fca5f048080, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.20.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=192.168.9.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=inside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fca5e39ad20, priority=0, domain=nat-per-session, deny=false
hits=116390, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fca5efc59f0, priority=0, domain=inspect-ip-options, deny=true
hits=75475, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fca5e3b1bd0, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=5112, user_data=0xa6cc, cs_id=0x7fca5f9e3b20, reverse, flags=0x0, protocol=0
src ip/id=10.20.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=192.168.9.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule