Hi Rob, below is my result. Thanks in advanced.

Hi Rob, below is the capture result.

> packet-tracer input INSIDE icmp 10.2.1.1 8 0 10.64.1.100
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.64.1.100 using egress ifc data(vrfid:0)
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435471 object any-ipv4 object TESTPC rule-id 268435471
access-list NGFW_ONBOX_ACL remark rule-id 268435471: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435471: L5 RULE: Allow_Outside_To_Inside
object-group service |acSvcg-268435471
service-object ip
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 300233, packet dispatched to next module
Phase: 11
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'
Phase: 12
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: ICMP
Session: new snort session
Firewall: allow rule, id 268435471, allow
Snort id 1, NAP id 1, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet
Phase: 13
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.64.1.100 using egress ifc data(vrfid:0)
Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop 10.64.1.100 on interface data
Adjacency :Active
MAC address 54ee.7521.4c75 hits 73 reference 1
Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: data(vrfid:0)
output-status: up
output-line-status: up
Action: allow
>

@Patts you've run that packet-tracer from source "inside", you would need to run that from "outside" if you are having a problem communication from outside to inside and want to simulate the traffic flow.

I assume your "outside" interface is called "data"?

Hi Rob, thanks for the quick reply. please check below. Btw, data is my inside interface subnet for the host 10.64.1.100

> packet-tracer input OUTSIDE icmp 10.2.1.1 8 0 10.64.1.100
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.64.1.100 using egress ifc data(vrfid:0)
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435471 ifc outside object any-ipv4 ifc data object TESTPC rule-id 268435471
access-list NGFW_ONBOX_ACL remark rule-id 268435471: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435471: L5 RULE: Allow_Outside_To_Inside
object-group service |acSvcg-268435471
service-object ip
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (data,outside) source dynamic 10.64.1.0_24 interface
Additional Information:
Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055a8dd5243b6 flow (nat-rpf-failed)/snp_sp_action_cb:1140
>

@Patts NAT is the problem.

Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (data,outside) source dynamic 10.64.1.0_24 interface

Create an NAT exemption rule between the source and destination networks to ensure traffic is not unintentially translated.

Sorry Rob, you mean no create a new ACP or just update my NAT? Any sample you can provide? Cheers!

Thanks Rob.

Now its perfectly working.

Super!!