07-08-2012 08:20 PM - edited 03-11-2019 04:28 PM
Hi
I got a issue after enabling the firewall on the router the user can connect to the VPN but they cant access to the local LAN(remote lan). Everything works before enable it using the CCP.
Here a copy of the config after enable the firewall
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
password encryption aes
!
!
!
!
!
class-map type inspect match-all sdm-nat-user-protocol--7-1
match access-group 111
match protocol user-protocol--7
class-map type inspect match-all sdm-nat-http-4
match access-group 113
match protocol http
class-map type inspect match-all sdm-nat-http-5
match access-group 115
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--6-1
match access-group 110
match protocol user-protocol--6
class-map type inspect match-all sdm-nat-http-6
match access-group 116
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--5-1
match access-group 110
match protocol user-protocol--5
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all sdm-cls-im
match class-map ccp-protocol-im
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 108
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-http-7
match access-group 117
match protocol http
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 103
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 105
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-http-1
match access-group 106
match protocol http
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all sdm-nat-http-2
match access-group 107
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 105
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
match access-group 104
match protocol smtp
class-map type inspect match-all sdm-nat-http-3
match access-group 109
match protocol http
class-map type inspect match-all sdm-nat-imap-1
match access-group 104
match protocol imap
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-all sdm-nat-http-8
match access-group 104
match protocol http
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-all sdm-nat-user-protocol--9-1
match access-group 112
match protocol user-protocol--9
class-map type inspect match-all sdm-nat-user-protocol--8-1
match access-group 110
match protocol user-protocol--8
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-nat-echo-1
match access-group 103
match protocol echo
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-pop3s-1
match access-group 104
match protocol pop3s
class-map type inspect match-all sdm-nat-user-protocol--12-1
match access-group 113
match protocol user-protocol--12
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all sdm-nat-user-protocol--13-1
match access-group 104
match protocol user-protocol--13
class-map type inspect match-all sdm-nat-user-protocol--10-1
match access-group 114
match protocol user-protocol--10
class-map type inspect match-all sdm-nat-user-protocol--11-1
match access-group 114
match protocol user-protocol--11
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-all sdm-nat-pop3-1
match access-group 104
match protocol pop3
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_EASY_VPN_CTCP_SERVER_PT
match access-group 102
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-nat-dns-1
match access-group 103
match protocol dns
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all sdm-nat-https-1
match access-group 104
match protocol https
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect match-all sdm-nat-imaps-1
match access-group 104
match protocol imaps
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect match-all sdm-nat-ftp-1
match access-group 111
match protocol ftp
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
reset
class type inspect edonkey ccp-app-edonkeydownload
log
reset
class type inspect fasttrack ccp-app-fasttrack
log
reset
class type inspect gnutella ccp-app-gnutella
log
reset
class type inspect kazaa2 ccp-app-kazaa2
log
reset
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-dns-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-imaps-1
inspect
class type inspect sdm-nat-pop3-1
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class type inspect sdm-nat-echo-1
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-http-2
inspect
class type inspect sdm-nat-user-protocol--4-1
inspect
class type inspect sdm-nat-http-3
inspect
class type inspect sdm-nat-user-protocol--5-1
inspect
class type inspect sdm-nat-user-protocol--6-1
inspect
class type inspect sdm-nat-ftp-1
inspect
class type inspect sdm-nat-user-protocol--7-1
inspect
class type inspect sdm-nat-user-protocol--8-1
inspect
class type inspect sdm-nat-user-protocol--9-1
inspect
class type inspect sdm-nat-http-4
inspect
class type inspect sdm-nat-user-protocol--10-1
inspect
class type inspect sdm-nat-http-5
inspect
class type inspect sdm-nat-user-protocol--11-1
inspect
class type inspect sdm-nat-http-6
inspect
class type inspect sdm-nat-http-7
inspect
class type inspect sdm-nat-user-protocol--12-1
inspect
class type inspect sdm-nat-user-protocol--13-1
inspect
class type inspect sdm-nat-pop3s-1
inspect
class type inspect sdm-nat-imap-1
inspect
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-http-8
inspect
class class-default
drop
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
reset
class type inspect msnmsgr ccp-app-msn
log
reset
class type inspect ymsgr ccp-app-yahoo
log
reset
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
allow
class type inspect http ccp-app-httpmethods
log
allow
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
drop log
class type inspect sdm-cls-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-protocol-im
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect SDM_EASY_VPN_CTCP_SERVER_PT
inspect
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security ezvpn-zone
zone security in-zone
zone security out-zone
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
!
crypto ctcp port 10000
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group usuariovpn
key usuariovpn
dns 172.17.128.33 172.17.128.24
domain XXXXXXXXXXXXXXXX
pool SDM_POOL_2
acl 101
save-password
include-local-lan
split-dns XXXXXXXXXXXXXXXX
max-users 20
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group usuariovpn
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 28800
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback1
ip address 172.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $FW_OUTSIDE$
ip address XXXXX
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
zone-member security out-zone
pvc 1/50
encapsulation aal5snap
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
!
interface FastEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0.1
description Datos$FW_INSIDE$
encapsulation dot1Q 1 native
ip address 172.17.128.250 255.255.192.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface FastEthernet0.20
description $WLAN VISITAS$$FW_INSIDE$
encapsulation dot1Q 20
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface FastEthernet0.100
description $CISCO_VOICE$$FW_INSIDE$
encapsulation dot1Q 100
ip address 10.1.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
no ip address
shutdown
!
interface FastEthernet5
no ip address
shutdown
!
interface FastEthernet6
no ip address
shutdown
!
interface FastEthernet7
no ip address
shutdown
!
interface FastEthernet8
no ip address
shutdown
!
interface Virtual-Template1 type tunnel
description VPN corporativo de XXXXX
ip unnumbered ATM0.1
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
ip local pool SDM_POOL_2 192.168.200.200 192.168.200.240
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip flow-top-talkers
top 100
sort-by bytes
!
ip nat inside source static udp 172.17.128.19 53 interface ATM0.1 53
ip nat inside source list 1 interface ATM0.1 overload
ip nat inside source static tcp 172.17.128.33 443 interface ATM0.1 443
ip nat inside source static tcp 172.17.128.33 993 interface ATM0.1 993
ip nat inside source static tcp 172.17.128.33 110 interface ATM0.1 110
ip nat inside source list 20 interface ATM0.1 overload
ip nat inside source static tcp 172.17.128.21 3131 interface ATM0.1 3131
ip nat inside source static tcp 172.17.128.21 3132 interface ATM0.1 3132
ip nat inside source static tcp 172.17.128.19 43 interface ATM0.1 43
ip nat inside source static tcp 172.17.128.19 53 interface ATM0.1 53
ip nat inside source static udp 172.17.128.19 7 interface ATM0.1 7
ip nat inside source static tcp 172.17.128.29 80 interface ATM0.1 5000
ip nat inside source static tcp 172.17.128.28 80 interface ATM0.1 5001
ip nat inside source static tcp 172.17.128.25 8070 interface ATM0.1 8070
ip nat inside source static tcp 172.17.128.44 80 interface ATM0.1 5005
ip nat inside source static tcp 172.17.128.19 7 interface ATM0.1 7
ip nat inside source static tcp 172.17.128.249 8087 interface ATM0.1 8087
ip nat inside source static tcp 172.17.128.249 8088 interface ATM0.1 8088
ip nat inside source static tcp 172.17.128.11 21 interface ATM0.1 21
ip nat inside source static udp 172.17.128.11 21 interface ATM0.1 21
ip nat inside source static tcp 172.17.128.249 8089 interface ATM0.1 8089
ip nat inside source static tcp 172.17.128.20 9675 interface ATM0.1 9675
ip nat inside source static tcp 172.17.128.14 80 interface ATM0.1 8080
ip nat inside source static tcp 172.17.128.24 5555 interface ATM0.1 5555
ip nat inside source static tcp 172.17.128.43 80 interface ATM0.1 5002
ip nat inside source static tcp 172.17.128.24 8090 interface ATM0.1 8090
ip nat inside source static tcp 172.17.128.41 80 interface ATM0.1 5003
ip nat inside source static tcp 172.17.128.42 80 interface ATM0.1 5004
ip nat inside source static tcp 172.17.128.14 8080 interface ATM0.1 8081
ip nat inside source static tcp 172.17.128.33 465 interface ATM0.1 465
ip nat inside source static tcp 172.17.128.33 995 interface ATM0.1 995
ip nat inside source static tcp 172.17.128.33 143 interface ATM0.1 143
ip nat inside source static tcp 172.17.128.33 25 interface ATM0.1 25
ip route 0.0.0.0 0.0.0.0 XXXXXXX permanent
ip route 10.1.1.0 255.255.255.0 172.17.128.7
ip route 10.1.10.0 255.255.255.0 172.17.128.7
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
!
ip radius source-interface FastEthernet0.1
logging 172.17.128.20
access-list 1 permit 172.17.128.0 0.0.63.255
access-list 20 permit 192.168.100.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 201.198.16.16 0.0.0.3 any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 172.17.0.0 0.0.255.255 any
access-list 102 remark CCP_ACL Category=1
access-list 102 permit tcp any any eq 10000
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 172.17.128.19
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 172.17.128.33
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 172.17.128.21
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 172.17.128.29
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip any host 172.17.128.28
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip any host 172.17.128.25
access-list 109 remark CCP_ACL Category=0
access-list 109 permit ip any host 172.17.128.44
access-list 110 remark CCP_ACL Category=0
access-list 110 permit ip any host 172.17.128.249
access-list 111 remark CCP_ACL Category=0
access-list 111 permit ip any host 172.17.128.11
access-list 112 remark CCP_ACL Category=0
access-list 112 permit ip any host 172.17.128.20
access-list 113 remark CCP_ACL Category=0
access-list 113 permit ip any host 172.17.128.14
access-list 114 remark CCP_ACL Category=0
access-list 114 permit ip any host 172.17.128.24
access-list 115 remark CCP_ACL Category=0
access-list 115 permit ip any host 172.17.128.43
access-list 116 remark CCP_ACL Category=0
access-list 116 permit ip any host 172.17.128.41
access-list 117 remark CCP_ACL Category=0
access-list 117 permit ip any host 172.17.128.42
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 60 0
logging synchronous
line aux 0
logging synchronous
transport input telnet
transport output telnet
line vty 0 4
exec-timeout 60 0
privilege level 15
length 0
transport input telnet ssh
transport output telnet ssh
Any ideas?
Best Regards.
07-08-2012 10:26 PM
make the vpn accessiable at the endpoint of the router only.if pc's in lan use vpn client then their request frames is encapsulated by vpn and inaccessable by local lan network.
---
Posted by WebUser Abhinaba Acharjee from Cisco Support Community App
07-09-2012 08:40 AM
Thanks.
Sorry but who I can do it?
07-09-2012 11:31 PM
Guillermo,
Hola, Of course is not that simple like just to put on a line "allow it", if that would be so simple, nobody would be asking questions right?
Anyways, there is more that we need to check here, please put on the globla configuration mode "ip inspect log drop-pkt" and then turn on the logs. You will see exactly where it is being dropped and we can modify the policies accordingly.
Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: