Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1024
Views
0
Helpful
4
Replies

Cisco NGFW 2210 - VPN Client Issue

SedricCaldwell91563
Level 1
Level 1

‎09-18-2021 03:57 PM

Looking for a solution to my issue:

 

I have a Cisco NGFW 2110 running v6.6.1 and the VPN client had been working. Short story is I blew away the VPN config because users complained they had no access to the back-end resources after connecting. Now it's still not working and I'm at a loss about the root cause.  Also, when clients connect they have the "secured routes" listed under route details.

 

Here is my current config:

 

: Saved
:
: Diagnostic interface mode: BRIDGE
:

:
: Serial Number: JAD23430KNA
: Hardware: FPR-2110, 6589 MB RAM, CPU MIPS 1200 MHz, 1 CPU (6 cores)
:
NGFW Version 6.6.1
!
hostname fw1
enable password ***** pbkdf2
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto
ip local pool vpn_dhcp_pool 172.16.100.0-172.16.100.255 mask 255.255.255.0

 

!
interface Ethernet1/1
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 96.73.205.3 255.255.255.240
!
interface Ethernet1/2
nameif outside_sec
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 107.211.206.26 255.255.255.248
!
interface Ethernet1/3
nameif dmz-sw1
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
no ip address
!
interface Ethernet1/3.3
vlan 3
nameif vlan3
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.3.1 255.255.255.0
!
interface Ethernet1/3.5
vlan 5
nameif vlan5
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.5.1 255.255.255.0
!
interface Ethernet1/3.11
vlan 11
nameif vlan11
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.11.1 255.255.255.0
!
interface Ethernet1/3.12
vlan 12
nameif vlan12
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.12.1 255.255.255.0
!
interface Ethernet1/4
nameif dmz-sw2
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
no ip address
!
interface Ethernet1/4.21
vlan 21
nameif vlan21
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.21.1 255.255.255.0
!
interface Ethernet1/4.22
vlan 22
nameif vlan22
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.22.1 255.255.255.0
!
interface Ethernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/7
nameif internal-sw3
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
no ip address
!
interface Ethernet1/7.30
vlan 30
nameif vlan30
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.30.1 255.255.255.0
!
interface Ethernet1/7.31
vlan 31
nameif vlan31
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.31.1 255.255.255.0
!
interface Ethernet1/7.32
vlan 32
nameif vlan32
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.32.1 255.255.255.0
!
interface Ethernet1/7.33
vlan 33
nameif vlan33
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.33.1 255.255.255.0
!
interface Ethernet1/7.34
vlan 34
nameif vlan34
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.34.1 255.255.255.0
!
interface Ethernet1/7.39
vlan 39
nameif vlan39
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.39.1 255.255.255.0
!
interface Ethernet1/8
nameif internal-sw4
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
no ip address
!
interface Ethernet1/8.40
vlan 40
nameif vlan40
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.40.1 255.255.255.0
!
interface Ethernet1/8.41
vlan 41
nameif vlan41
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.41.1 255.255.255.0
!
interface Ethernet1/8.42
vlan 42
nameif vlan42
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.42.1 255.255.255.0
!
interface Ethernet1/8.43
vlan 43
nameif vlan43
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.43.1 255.255.255.0
!
interface Ethernet1/8.44
vlan 44
nameif vlan44
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.44.1 255.255.255.0
!
interface Ethernet1/8.47
vlan 47
nameif vlan47
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.47.1 255.255.255.0
!
interface Ethernet1/9
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/10
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/11
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/12
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/13
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/14
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/15
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/16
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif diagnostic
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
no ip address
!
ftp mode passive
ngips conn-match vlan-id
dns domain-lookup any
dns server-group CiscoUmbrellaDNSServerGroup
name-server 208.67.222.222
name-server 208.67.220.220
dns-group CiscoUmbrellaDNSServerGroup
object network any-ipv4
subnet 0.0.0.0 0.0.0.0
object network any-ipv6
subnet ::/0
object network comcast_gw
host 96.73.205.14
object network att_gw
host 107.211.206.30
object network opendns
host 146.112.62.105
object network internal_vlan30
subnet 10.11.30.0 255.255.255.0
object network internal_vlan31
subnet 10.11.31.0 255.255.255.0
object network internal_vlan32
subnet 10.11.32.0 255.255.255.0
object network internal_vlan33
subnet 10.11.33.0 255.255.255.0
object network internal_vlan34
subnet 10.11.34.0 255.255.255.0
object network internal_vlan39
subnet 10.11.39.0 255.255.255.0
object network dmz_vlan10
subnet 10.11.10.0 255.255.255.0
object network dmz_vlan11
subnet 10.11.11.0 255.255.255.0
object network dmz_vlan12
subnet 10.11.12.0 255.255.255.0
object network dmz_vlan13
subnet 10.11.13.0 255.255.255.0
object network dmz_vlan14
subnet 10.11.14.0 255.255.255.0
object network internal_vlan37
subnet 10.11.37.0 255.255.255.0
object network internal_vlan47
subnet 10.11.47.0 255.255.255.0
object network vm_host_1
host 10.11.30.2
object network db_server1.37
host 10.11.37.3
object network db_server1.47
host 10.11.47.3
object network db_server2.37
host 10.11.37.4
object network db_server2.47
host 10.11.47.4
object network vm_host_2
host 10.11.40.2
object network internal_vlan41
subnet 10.11.41.0 255.255.255.0
object network internal_vlan42
subnet 10.11.42.0 255.255.255.0
object network internal_vlan43
subnet 10.11.43.0 255.255.255.0
object network internal_vlan44
subnet 10.11.44.0 255.255.255.0
object network internal_vlan45
subnet 10.11.45.0 255.255.255.0
object network internal_vlan35
subnet 10.11.35.0 255.255.255.0
object network internal_vlan36
subnet 10.11.36.0 255.255.255.0
object network dmz_vlan21
subnet 10.11.21.0 255.255.255.0
object network dmz_vlan22
subnet 10.11.22.0 255.255.255.0
object network vpn_dhcp_pool
subnet 172.16.100.0 255.255.255.0
object network internal_vlan40
subnet 10.11.40.0 255.255.255.0
object network inside_network
subnet 10.11.0.0 255.255.0.0
object-group service |acSvcg-268435457
service-object ip
object-group service |acSvcg-268435459
service-object ip
object-group service |acSvcg-268435458
service-object ip
object-group network NGFW-Remote-Access-VPN|natIpv4Grp
network-object object internal_vlan30
network-object object internal_vlan31
network-object object internal_vlan32
network-object object internal_vlan33
network-object object internal_vlan34
network-object object internal_vlan35
network-object object internal_vlan36
network-object object internal_vlan37
network-object object internal_vlan39
network-object object internal_vlan41
network-object object internal_vlan42
network-object object internal_vlan43
network-object object internal_vlan44
network-object object internal_vlan45
network-object object internal_vlan47
object-group service |acSvcg-268435469
service-object ip
object-group network NGFW-Remote-Access-VPN|natIpv4PoolGrp
network-object object vpn_dhcp_pool
object-group network |acDestNwg-268435459
network-object object internal_vlan30
network-object object internal_vlan31
network-object object internal_vlan34
network-object object internal_vlan35
network-object object internal_vlan36
network-object object internal_vlan37
network-object object internal_vlan39
network-object object internal_vlan40
network-object object internal_vlan41
network-object object internal_vlan42
network-object object internal_vlan43
network-object object internal_vlan44
network-object object internal_vlan45
network-object object internal_vlan47
access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435459: L5 RULE: outisde-to-internal_sw3
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc outside object vpn_dhcp_pool ifc internal-sw3 object-group |acDestNwg-268435459 rule-id 268435459 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc outside object vpn_dhcp_pool ifc internal-sw4 object-group |acDestNwg-268435459 rule-id 268435459 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc outside object vpn_dhcp_pool ifc vlan30 object-group |acDestNwg-268435459 rule-id 268435459 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc outside object vpn_dhcp_pool ifc vlan31 object-group |acDestNwg-268435459 rule-id 268435459 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc outside object vpn_dhcp_pool ifc vlan32 object-group |acDestNwg-268435459 rule-id 268435459 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc outside object vpn_dhcp_pool ifc vlan33 object-group |acDestNwg-268435459 rule-id 268435459 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc outside object vpn_dhcp_pool ifc vlan34 object-group |acDestNwg-268435459 rule-id 268435459 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc outside object vpn_dhcp_pool ifc vlan39 object-group |acDestNwg-268435459 rule-id 268435459 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc outside object vpn_dhcp_pool ifc vlan40 object-group |acDestNwg-268435459 rule-id 268435459 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc outside object vpn_dhcp_pool ifc vlan41 object-group |acDestNwg-268435459 rule-id 268435459 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc outside object vpn_dhcp_pool ifc vlan42 object-group |acDestNwg-268435459 rule-id 268435459 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc outside object vpn_dhcp_pool ifc vlan43 object-group |acDestNwg-268435459 rule-id 268435459 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc outside object vpn_dhcp_pool ifc vlan44 object-group |acDestNwg-268435459 rule-id 268435459 event-log flow-end
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 ifc internal-sw3 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 ifc internal-sw4 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 ifc vlan30 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 ifc vlan31 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 ifc vlan32 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 ifc vlan33 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 ifc vlan34 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 ifc vlan39 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 ifc vlan40 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 ifc vlan41 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 ifc vlan42 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 ifc vlan43 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 ifc vlan44 any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435469: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435469: L5 RULE: vpn-pool_to_internal
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435469 object vpn_dhcp_pool ifc internal-sw3 any rule-id 268435469 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435469 object vpn_dhcp_pool ifc vlan30 any rule-id 268435469 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435469 object vpn_dhcp_pool ifc vlan31 any rule-id 268435469 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435469 object vpn_dhcp_pool ifc vlan32 any rule-id 268435469 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435469 object vpn_dhcp_pool ifc vlan33 any rule-id 268435469 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435469 object vpn_dhcp_pool ifc vlan34 any rule-id 268435469 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435469 object vpn_dhcp_pool ifc vlan39 any rule-id 268435469 event-log flow-end
access-list NGFW_ONBOX_ACL remark rule-id 268435458: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435458: L5 RULE: dmz_outside_comcast
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc dmz-sw1 any ifc outside any rule-id 268435458
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc dmz-sw2 any ifc outside any rule-id 268435458
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc vlan11 any ifc outside any rule-id 268435458
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc vlan12 any ifc outside any rule-id 268435458
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc vlan21 any ifc outside any rule-id 268435458
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc vlan22 any ifc outside any rule-id 268435458
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc vlan3 any ifc outside any rule-id 268435458
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc vlan5 any ifc outside any rule-id 268435458
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1 event-log both
access-list remote_vpn extended permit ip 172.16.100.0 255.255.255.0 10.11.30.0 255.255.255.0 log default
access-list remote_vpn extended permit ip 172.16.100.0 255.255.255.0 10.11.40.0 255.255.255.0 log default
access-list DfltGrpPolicy|splitAcl extended permit ip object internal_vlan30 any
access-list DfltGrpPolicy|splitAcl extended permit ip object internal_vlan31 any
access-list DfltGrpPolicy|splitAcl extended permit ip object internal_vlan32 any
access-list DfltGrpPolicy|splitAcl extended permit ip object internal_vlan33 any
access-list DfltGrpPolicy|splitAcl extended permit ip object internal_vlan34 any
access-list DfltGrpPolicy|splitAcl extended permit ip object internal_vlan35 any
access-list DfltGrpPolicy|splitAcl extended permit ip object internal_vlan36 any
access-list DfltGrpPolicy|splitAcl extended permit ip object internal_vlan37 any
access-list DfltGrpPolicy|splitAcl extended permit ip object internal_vlan39 any
access-list DfltGrpPolicy|splitAcl extended permit ip object internal_vlan40 any
access-list DfltGrpPolicy|splitAcl extended permit ip object internal_vlan41 any
access-list DfltGrpPolicy|splitAcl extended permit ip object internal_vlan42 any
access-list DfltGrpPolicy|splitAcl extended permit ip object internal_vlan43 any
access-list DfltGrpPolicy|splitAcl extended permit ip object internal_vlan44 any
access-list DfltGrpPolicy|splitAcl extended permit ip object internal_vlan45 any
access-list DfltGrpPolicy|splitAcl extended permit ip object internal_vlan47 any
access-list DfltGrpPolicy|splitAcl extended permit ip object vpn_dhcp_pool any
pager lines 24
logging enable
logging timestamp
logging permit-hostdown
mtu outside 1500
mtu outside_sec 1500
mtu dmz-sw1 1500
mtu vlan3 1500
mtu vlan5 1500
mtu vlan11 1500
mtu vlan12 1500
mtu dmz-sw2 1500
mtu vlan21 1500
mtu vlan22 1500
mtu internal-sw3 1500
mtu vlan30 1500
mtu vlan31 1500
mtu vlan32 1500
mtu vlan33 1500
mtu vlan34 1500
mtu vlan39 1500
mtu internal-sw4 1500
mtu vlan40 1500
mtu vlan41 1500
mtu vlan42 1500
mtu vlan43 1500
mtu vlan44 1500
mtu diagnostic 1500
mtu vlan47 1500
no failover
monitor-interface vlan3
monitor-interface vlan5
monitor-interface vlan11
monitor-interface vlan12
monitor-interface vlan21
monitor-interface vlan22
no monitor-interface internal-sw3
monitor-interface vlan30
monitor-interface vlan31
monitor-interface vlan32
monitor-interface vlan33
monitor-interface vlan34
monitor-interface vlan39
no monitor-interface internal-sw4
monitor-interface vlan40
monitor-interface vlan41
monitor-interface vlan42
monitor-interface vlan43
monitor-interface vlan44
monitor-interface vlan47
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
nat (vlan40,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
nat (vlan31,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
nat (vlan30,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
nat (internal-sw4,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
nat (internal-sw3,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
nat (any,outside) source dynamic any-ipv4 interface
nat (internal-sw3,outside) source static any any
!
object network vpn_dhcp_pool
nat (any,any) static inside_network
access-group NGFW_ONBOX_ACL global
route outside 0.0.0.0 0.0.0.0 90.73.205.14 1 track 1
route outside_sec 0.0.0.0 0.0.0.0 10.211.206.30 254 track 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 outside_sec
http ::/0 outside_sec
ip-client vlan47 ipv6
ip-client vlan47
ip-client vlan5
ip-client vlan5 ipv6
ip-client vlan3
ip-client vlan3 ipv6
ip-client vlan12
ip-client vlan12 ipv6
ip-client vlan11
ip-client vlan11 ipv6
ip-client diagnostic
ip-client diagnostic ipv6
ip-client outside_sec
ip-client outside_sec ipv6
ip-client outside
ip-client outside ipv6
ip-client vlan30
ip-client vlan30 ipv6
ip-client vlan31
ip-client vlan31 ipv6
ip-client vlan32
ip-client vlan32 ipv6
ip-client vlan33
ip-client vlan33 ipv6
ip-client vlan34
ip-client vlan34 ipv6
ip-client vlan39
ip-client vlan39 ipv6
ip-client vlan22
ip-client vlan22 ipv6
ip-client vlan21
ip-client vlan21 ipv6
ip-client dmz-sw1
ip-client dmz-sw1 ipv6
ip-client dmz-sw2
ip-client dmz-sw2 ipv6
ip-client internal-sw3
ip-client internal-sw3 ipv6
ip-client vlan41
ip-client vlan41 ipv6
ip-client internal-sw4
ip-client internal-sw4 ipv6
ip-client vlan42
ip-client vlan42 ipv6
ip-client vlan40
ip-client vlan40 ipv6
ip-client vlan43
ip-client vlan43 ipv6
ip-client vlan44
ip-client vlan44 ipv6
no snmp-server location
no snmp-server contact
sysopt connection tcpmss 0
no sysopt connection permit-vpn
sla monitor 2506626
type echo protocol ipIcmpEcho 146.112.62.105 interface outside
num-packets 3
sla monitor schedule 2506626 life forever start-time now
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint DefaultInternalCertificate
enrollment terminal
keypair DefaultInternalCertificate
crl configure
crypto ca trustpool policy
crypto ca certificate chain DefaultInternalCertificate
crypto ikev2 policy 100
encryption des
integrity sha
group 14
prf sha
lifetime seconds 86400
crypto ikev2 policy 101
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev1 policy 150
authentication rsa-sig
encryption des
hash sha
group 14
lifetime 86400
crypto ikev1 policy 160
authentication pre-share
encryption des
hash sha
group 14
lifetime 86400
crypto ikev1 policy 161
authentication pre-share
encryption des
hash sha
group 5
lifetime 86400
!
track 1 rtr 2506626 reachability
telnet timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.11.11.70-10.11.11.120 vlan11
dhcpd enable vlan11
!
dhcpd address 10.11.30.70-10.11.30.95 vlan30
dhcpd enable vlan30
!
dhcpd address 10.11.31.70-10.11.31.95 vlan31
dhcpd enable vlan31
!
dhcpd address 10.11.32.70-10.11.32.120 vlan32
dhcpd enable vlan32
!
dhcpd address 10.11.33.70-10.11.33.95 vlan33
dhcpd enable vlan33
!
dhcpd address 10.11.34.70-10.11.34.120 vlan34
dhcpd enable vlan34
!
dhcpd address 10.11.39.70-10.11.39.120 vlan39
dhcpd enable vlan39
!
dhcpd address 10.11.41.70-10.11.41.120 vlan41
dhcpd enable vlan41
!
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point DefaultInternalCertificate outside
webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnpkgs/anyconnect-win-4.8.03036-webdeploy-k9.pkg 2
anyconnect profiles defaultClientProfile disk0:/anyconncprofs/defaultClientProfile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
group-policy DfltGrpPolicy attributes
dns-server value 208.67.222.222 208.67.220.220
vpn-simultaneous-logins 5
vpn-filter value remote_vpn
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DfltGrpPolicy|splitAcl
split-tunnel-all-dns enable
webvpn
anyconnect ssl dtls none
anyconnect profiles value defaultClientProfile type user
dynamic-access-policy-record DfltAccessPolicy
username ric password ***** pbkdf2
username lomon password ***** pbkdf2
tunnel-group remote-vpn-profile type remote-access
tunnel-group remote-vpn-profile general-attributes
address-pool vpn_dhcp_pool
tunnel-group remote-vpn-profile webvpn-attributes
group-alias remote-vpn-profile enable
!
class-map inspection_default
match default-inspection-traffic
class-map class_snmp
match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect snmp
class class_snmp
inspect snmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
app-agent heartbeat interval 1000 retry-count 3
snort preserve-connection
Cryptochecksum:5fd259cb737d7e05ed76ed7185961699
: end

0 Helpful
4 Replies 4

nspasov
Cisco Employee
Cisco Employee

‎09-20-2021 10:00 AM

1. Are you bypassing VPN traffic from Firewall inspection? If no, then do you have explicit rules to allow traffic coming from the VPN to access the back-end resources?

2. Do you have NAT in place? If yes, do you have the proper NAT configurations to exclude internal resources from being NATed when trying reach VPN clients?

Thank you for rating helpful posts!

0 Helpful

SedricCaldwell91563
Level 1
Level 1
In response to nspasov

‎09-20-2021 10:39 AM

Question 1, yes I do have a explcit rule to allow vpn clients to internal vlans.

 

Question  2 regarding NATs is my skill set weakness.. here is what I have today: 

 

> show nat
Manual NAT Policies (Section 1)
1 (vlan48) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote- Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW -Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
2 (vlan47) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote- Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW -Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
3 (vlan46) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote- Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW -Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
4 (vlan45) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote- Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW -Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
5 (vlan43) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote- Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW -Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
6 (vlan42) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote- Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW -Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
7 (vlan41) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote- Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW -Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
8 (vlan40) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote- Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW -Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
9 (vlan39) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote- Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW -Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
10 (vlan38) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote -Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGF W-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
11 (vlan37) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote -Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGF W-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
12 (vlan36) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote -Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGF W-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
13 (vlan35) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote -Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGF W-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
14 (vlan34) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote -Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGF W-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
15 (vlan33) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote -Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGF W-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
16 (vlan32) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote -Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGF W-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
17 (vlan31) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote -Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGF W-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
18 (vlan30) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote -Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGF W-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 10929, untranslate_hits = 0
19 (internal-sw4) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW- Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolG rp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
20 (internal-sw3) to (outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW- Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolG rp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
21 (any) to (outside) source dynamic any interface
translate_hits = 8307, untranslate_hits = 42

Auto NAT Policies (Section 2)
1 (nlp_int_tap) to (outside_sec) source static nlp_server_0_http_intf7 interface se rvice tcp https https
translate_hits = 0, untranslate_hits = 348
2 (nlp_int_tap) to (vlan31) source dynamic nlp_client_0_intf10 interface
translate_hits = 0, untranslate_hits = 0
3 (nlp_int_tap) to (vlan32) source dynamic nlp_client_0_intf11 interface
translate_hits = 0, untranslate_hits = 0
4 (nlp_int_tap) to (vlan33) source dynamic nlp_client_0_intf12 interface
translate_hits = 0, untranslate_hits = 0
5 (nlp_int_tap) to (vlan34) source dynamic nlp_client_0_intf13 interface
translate_hits = 0, untranslate_hits = 0
6 (nlp_int_tap) to (vlan39) source dynamic nlp_client_0_intf14 interface
translate_hits = 0, untranslate_hits = 0
7 (nlp_int_tap) to (vlan22) source dynamic nlp_client_0_intf15 interface
translate_hits = 0, untranslate_hits = 0
8 (nlp_int_tap) to (vlan21) source dynamic nlp_client_0_intf16 interface
translate_hits = 0, untranslate_hits = 0
9 (nlp_int_tap) to (dmz-sw1) source dynamic nlp_client_0_intf17 interface
translate_hits = 0, untranslate_hits = 0
10 (nlp_int_tap) to (dmz-sw2) source dynamic nlp_client_0_intf18 interface
translate_hits = 0, untranslate_hits = 0
11 (nlp_int_tap) to (vlan41) source dynamic nlp_client_0_intf19 interface
translate_hits = 0, untranslate_hits = 0
12 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_intf2 interface
translate_hits = 0, untranslate_hits = 0
13 (nlp_int_tap) to (vlan42) source dynamic nlp_client_0_intf20 interface
translate_hits = 0, untranslate_hits = 0
14 (nlp_int_tap) to (vlan40) source dynamic nlp_client_0_intf21 interface
translate_hits = 0, untranslate_hits = 0
15 (nlp_int_tap) to (vlan43) source dynamic nlp_client_0_intf22 interface
translate_hits = 0, untranslate_hits = 0
16 (nlp_int_tap) to (vlan44) source dynamic nlp_client_0_intf23 interface
translate_hits = 0, untranslate_hits = 0
17 (nlp_int_tap) to (vlan47) source dynamic nlp_client_0_intf24 interface
translate_hits = 0, untranslate_hits = 0
18 (nlp_int_tap) to (vlan35) source dynamic nlp_client_0_intf25 interface
translate_hits = 0, untranslate_hits = 0
19 (nlp_int_tap) to (vlan36) source dynamic nlp_client_0_intf26 interface
translate_hits = 0, untranslate_hits = 0
20 (nlp_int_tap) to (vlan37) source dynamic nlp_client_0_intf27 interface
translate_hits = 0, untranslate_hits = 0
21 (nlp_int_tap) to (vlan38) source dynamic nlp_client_0_intf28 interface
translate_hits = 0, untranslate_hits = 0
22 (nlp_int_tap) to (internal-sw3) source dynamic nlp_client_0_intf29 interface
translate_hits = 0, untranslate_hits = 0
23 (nlp_int_tap) to (vlan5) source dynamic nlp_client_0_intf3 interface
translate_hits = 0, untranslate_hits = 0
24 (nlp_int_tap) to (vlan45) source dynamic nlp_client_0_intf30 interface
translate_hits = 0, untranslate_hits = 0
25 (nlp_int_tap) to (vlan46) source dynamic nlp_client_0_intf31 interface
translate_hits = 0, untranslate_hits = 0
26 (nlp_int_tap) to (vlan48) source dynamic nlp_client_0_intf32 interface
translate_hits = 0, untranslate_hits = 0
27 (nlp_int_tap) to (internal-sw4) source dynamic nlp_client_0_intf33 interface
translate_hits = 0, untranslate_hits = 0
28 (nlp_int_tap) to (vlan3) source dynamic nlp_client_0_intf4 interface
translate_hits = 0, untranslate_hits = 0
29 (nlp_int_tap) to (vlan12) source dynamic nlp_client_0_intf5 interface
translate_hits = 0, untranslate_hits = 0
30 (nlp_int_tap) to (vlan11) source dynamic nlp_client_0_intf6 interface
translate_hits = 0, untranslate_hits = 0
31 (nlp_int_tap) to (outside_sec) source dynamic nlp_client_0_intf7 interface
translate_hits = 0, untranslate_hits = 0
32 (nlp_int_tap) to (outside) source dynamic nlp_client_0_intf8 interface
translate_hits = 0, untranslate_hits = 0
33 (nlp_int_tap) to (vlan30) source dynamic nlp_client_0_intf9 interface
translate_hits = 0, untranslate_hits = 0
34 (nlp_int_tap) to (vlan31) source dynamic nlp_client_0_ipv6_intf10 interface ipv6
translate_hits = 0, untranslate_hits = 0
35 (nlp_int_tap) to (vlan32) source dynamic nlp_client_0_ipv6_intf11 interface ipv6
translate_hits = 0, untranslate_hits = 0
36 (nlp_int_tap) to (vlan33) source dynamic nlp_client_0_ipv6_intf12 interface ipv6
translate_hits = 0, untranslate_hits = 0
37 (nlp_int_tap) to (vlan34) source dynamic nlp_client_0_ipv6_intf13 interface ipv6
translate_hits = 0, untranslate_hits = 0
38 (nlp_int_tap) to (vlan39) source dynamic nlp_client_0_ipv6_intf14 interface ipv6
translate_hits = 0, untranslate_hits = 0
39 (nlp_int_tap) to (vlan22) source dynamic nlp_client_0_ipv6_intf15 interface ipv6
translate_hits = 0, untranslate_hits = 0
40 (nlp_int_tap) to (vlan21) source dynamic nlp_client_0_ipv6_intf16 interface ipv6
translate_hits = 0, untranslate_hits = 0
41 (nlp_int_tap) to (dmz-sw1) source dynamic nlp_client_0_ipv6_intf17 interface ipv6
translate_hits = 0, untranslate_hits = 0
42 (nlp_int_tap) to (dmz-sw2) source dynamic nlp_client_0_ipv6_intf18 interface ipv6
translate_hits = 0, untranslate_hits = 0
43 (nlp_int_tap) to (vlan41) source dynamic nlp_client_0_ipv6_intf19 interface ipv6
translate_hits = 0, untranslate_hits = 0
44 (nlp_int_tap) to (diagnostic) source dynamic nlp_client_0_ipv6_intf2 interface ip v6
translate_hits = 0, untranslate_hits = 0
45 (nlp_int_tap) to (vlan42) source dynamic nlp_client_0_ipv6_intf20 interface ipv6
translate_hits = 0, untranslate_hits = 0
46 (nlp_int_tap) to (vlan40) source dynamic nlp_client_0_ipv6_intf21 interface ipv6
translate_hits = 0, untranslate_hits = 0
47 (nlp_int_tap) to (vlan43) source dynamic nlp_client_0_ipv6_intf22 interface ipv6
translate_hits = 0, untranslate_hits = 0
48 (nlp_int_tap) to (vlan44) source dynamic nlp_client_0_ipv6_intf23 interface ipv6
translate_hits = 0, untranslate_hits = 0
49 (nlp_int_tap) to (vlan47) source dynamic nlp_client_0_ipv6_intf24 interface ipv6
translate_hits = 0, untranslate_hits = 0
50 (nlp_int_tap) to (vlan35) source dynamic nlp_client_0_ipv6_intf25 interface ipv6
translate_hits = 0, untranslate_hits = 0
51 (nlp_int_tap) to (vlan36) source dynamic nlp_client_0_ipv6_intf26 interface ipv6
translate_hits = 0, untranslate_hits = 0
52 (nlp_int_tap) to (vlan37) source dynamic nlp_client_0_ipv6_intf27 interface ipv6
translate_hits = 0, untranslate_hits = 0
53 (nlp_int_tap) to (vlan38) source dynamic nlp_client_0_ipv6_intf28 interface ipv6
translate_hits = 0, untranslate_hits = 0
54 (nlp_int_tap) to (internal-sw3) source dynamic nlp_client_0_ipv6_intf29 interface ipv6
translate_hits = 0, untranslate_hits = 0
55 (nlp_int_tap) to (vlan5) source dynamic nlp_client_0_ipv6_intf3 interface ipv6
translate_hits = 0, untranslate_hits = 0
56 (nlp_int_tap) to (vlan45) source dynamic nlp_client_0_ipv6_intf30 interface ipv6
translate_hits = 0, untranslate_hits = 0
57 (nlp_int_tap) to (vlan46) source dynamic nlp_client_0_ipv6_intf31 interface ipv6
translate_hits = 0, untranslate_hits = 0
58 (nlp_int_tap) to (vlan48) source dynamic nlp_client_0_ipv6_intf32 interface ipv6
translate_hits = 0, untranslate_hits = 0
59 (nlp_int_tap) to (internal-sw4) source dynamic nlp_client_0_ipv6_intf33 interface ipv6
translate_hits = 0, untranslate_hits = 0
60 (nlp_int_tap) to (vlan3) source dynamic nlp_client_0_ipv6_intf4 interface ipv6
translate_hits = 0, untranslate_hits = 0
61 (nlp_int_tap) to (vlan12) source dynamic nlp_client_0_ipv6_intf5 interface ipv6
translate_hits = 0, untranslate_hits = 0
62 (nlp_int_tap) to (vlan11) source dynamic nlp_client_0_ipv6_intf6 interface ipv6
translate_hits = 0, untranslate_hits = 0
63 (nlp_int_tap) to (outside_sec) source dynamic nlp_client_0_ipv6_intf7 interface i pv6
translate_hits = 0, untranslate_hits = 0
64 (nlp_int_tap) to (outside) source dynamic nlp_client_0_ipv6_intf8 interface ipv6
translate_hits = 0, untranslate_hits = 0
65 (nlp_int_tap) to (vlan30) source dynamic nlp_client_0_ipv6_intf9 interface ipv6
translate_hits = 0, untranslate_hits = 0

0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎09-20-2021 12:49 PM

Have you tried running packet-tracer? Would be good to see the output from it. 

0 Helpful

SedricCaldwell91563
Level 1
Level 1
In response to nspasov

‎09-20-2021 06:46 PM

Here's the latest packet tracer from a VPN to an inside host

 

packet-tracer input vlan30 icmp 172.16.100.1 8 0 10.11.30.2 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffc1b8d790, priority=1, domain=permit, deny=false
hits=1045, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=vlan30, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.11.30.2 using egress ifc vlan30(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435479 ifc vl an30 any ifc vlan30 any rule-id 268435479 event-log flow-end
access-list NGFW_ONBOX_ACL remark rule-id 268435479: ACCESS POLICY: NGFW_Access_ Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435479: L5 RULE: internal_to_intern al
object-group service |acSvcg-268435479
service-object ip
Additional Information:
This packet will be sent to snort for additional processing where a verdict wil l be reached
Forward Flow based lookup yields rule:
in id=0xffc8aa3460, priority=12, domain=permit, deny=false
hits=0, user_data=0xffae3ca500, cs_id=0x0, use_real_addr, flags=0x0, pro tocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=vlan30(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=vlan30(vrfid:0), v lan=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffc16916a0, priority=0, domain=nat-per-session, deny=true
hits=10655, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffc1b92e00, priority=0, domain=inspect-ip-options, deny=true
hits=1294, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=vlan30(vrfid:0), output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffc207b5d0, priority=70, domain=inspect-icmp, deny=false
hits=1, user_data=0xffc206e590, cs_id=0x0, use_real_addr, flags=0x0, pro tocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=vlan30(vrfid:0), output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffc20a2550, priority=70, domain=inspect-icmp-error, deny=false
hits=1, user_data=0xffc2095510, cs_id=0x0, use_real_addr, flags=0x0, pro tocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=vlan30(vrfid:0), output_ifc=any

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xffc16916a0, priority=0, domain=nat-per-session, deny=true
hits=10657, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xffc1b92e00, priority=0, domain=inspect-ip-options, deny=true
hits=1296, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=vlan30(vrfid:0), output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 9221, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_snort
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_snort
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 11
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 12
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: ICMP
Session: new snort session
Firewall: allow rule, id 268435479, allow
Snort id 0, NAP id 1, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet

Phase: 13
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.11.30.2 using egress ifc vlan30(vrfid:0)

Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop 10.11.30.2 on interface vlan30
Adjacency :Active
MAC address c81f.66dd.36b3 hits 0 reference 1

Result:
input-interface: vlan30(vrfid:0)
input-status: up
input-line-status: up
output-interface: vlan30(vrfid:0)
output-status: up
output-line-status: up
Action: allow

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card