ADSL modem <-> Cisco 877 <-> internal network problems!

Damien Silman · ‎11-11-2013

Hi all,

Due to some ongoing issues with dsl interface firmwares and the kit held in our ISP exchanges; we are havign to resort to substituting out the Cisco 877 ADSL atm interface and using a seperate router supplied by the ISP to make the initial connection.

I am struggling to get the 877 to do what I want it to now though; and have subsequently found it can only handle two VLANs.

So; my ISP provided router/modem connects to the net, anythign connected to it browses fine.

This is on subnet 192.168.1.0/24 and IP 192.168.1.254 is the router

I have a port on the 877 configured in this subnet, and in VLAN666 (so i can apply ip nat outisde)

This is on 192.168.1.139

Additionally I am using VLAN1 for corporate traffic on 172.30.59.0/24 subnet and if it could handle an additional VLAN I'd also be using 10.30.59.0/24 for voice, but that's a seperate issue (unless you have any helpful suggestions!)

The 877 can ping everything, unless I tell it to use source VLAN1.

Laptop connected to to VLAN1 can ping VLAN1, VLAN666 but not 192.168.1.254 or any internet based hosts.

ISP router can ping 192.168.1.139 on the 877 but no further.

This all stinks of NAT issues but I can't figure it out; config below:

ITTEST#show run

Building configuration...

Current configuration : 4282 bytes

!

! Last configuration change at 16:10:10 GMT Mon Nov 11 2013

! NVRAM config last updated at 16:10:14 GMT Mon Nov 11 2013

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname ITTEST

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 10240

logging console critical

enable secret

enable password

!

no aaa new-model

clock timezone GMT 0

clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00

!

dot11 syslog

no ip source-route

ip dhcp excluded-address 172.30.59.1 172.30.59.100

!

ip dhcp pool dhcppool

import all

network 172.30.59.0 255.255.255.0

default-router 172.30.59.1

dns-server 172.30.59.1 172.20.0.120 172.20.0.121

domain-name gratte.com

update arp

!

ip cef

ip domain name gratte.com

ip name-server 192.168.1.254

ip name-server 172.20.0.120

ip name-server 172.20.0.121

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key <presharedkey> address xxx.xxx.xxx.xxx no-xauth

!

crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac

!

crypto ipsec profile IPSEC-VPN

set transform-set 3DESSHA

!

archive

log config

hidekeys

!

interface Tunnel0

description --- IPSec Tunnel to KX ---

ip address 172.30.60.1 255.255.255.0

ip ospf mtu-ignore

load-interval 30

tunnel source Vlan1

tunnel destination xxx.xxx.xxx.xxx

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC-VPN

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface FastEthernet0

description DATA

spanning-tree portfast

!

interface FastEthernet1

description VOICE

switchport access vlan 100

switchport voice vlan 100

spanning-tree portfast

!

interface FastEthernet2

shutdown

!

interface FastEthernet3

switchport access vlan 666

no cdp enable

spanning-tree portfast

!

interface Vlan1

ip address 172.30.59.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan2

no ip address

!

interface Vlan100

ip address 10.30.59.1 255.255.255.252

ip nat inside

ip virtual-reassembly

!

interface Vlan666

ip address 192.168.1.139 255.255.255.0

ip nat outside

ip virtual-reassembly

!

interface Dialer0

no ip address

!

ip default-gateway 192.168.1.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.1.254

ip route 10.20.0.0 255.255.0.0 Tunnel0

ip route 10.21.0.0 255.255.0.0 Tunnel0

ip route 64.156.192.220 255.255.255.255 Tunnel0

ip route 64.156.192.245 255.255.255.255 Tunnel0

ip route 74.50.50.16 255.255.255.255 Tunnel0

ip route 74.50.63.14 255.255.255.255 Tunnel0

ip route 172.16.0.0 255.240.0.0 Tunnel0

ip route 172.30.59.0 255.255.255.0 Vlan1

no ip http server

no ip http secure-server

!

ip dns server

ip nat source list 100 interface Vlan1 overload

!

access-list 100 permit ip 172.30.59.0 0.0.0.255 any

!

snmp-server community RO

snmp-server community RW

!

control-plane

!

line con 0

password

login

no modem enable

line aux 0

line vty 0 4

password

login

!

scheduler max-task-time 5000

ntp server 72.8.140.222

end

Ultimately I'll be using this for a VPN, but I can't even get internet traffic currently.

Any ideas?

Thanks,

cadet alain · ‎11-11-2013

Hi,

this line:

ip nat source list 100 interface Vlan1 overload

should be

ip nat source list 100 interface Vlan666 overload

You should also do NAT exemption for your VPN traffic by denying it first in this ACL

Also for voice vlan you can use switchport voice vlan command.

Regards

Alain

Don't forget to rate helpful posts.

Damien Silman · ‎11-11-2013

That was my original config, but I could not figure it out and had read enough rubbish on the internet to try setting it otherwise.

Now this is interesting; I've been conducting my ping tests from the user defing the source by using the VLAN1 IP; 172.30.59.1, I've just tried it using the actual interface instead:

ITTEST#ping 8.8.8.8 source vlan 1

% Invalid source interface - IP not enabled or interface is down

VLAN1 is active and the interface assigned is up....

What could that be then?...

cadet alain · ‎11-11-2013

Hi,

sh ip int br | i Vlan

Regards

Alain

Don't forget to rate helpful posts.

Damien Silman · ‎11-11-2013

Ok, it shows the protocol as being down for VLAN 1, might this be as my laptop is no longer connect to fastethernet 0 (the only interface configured for vlan 1 access)?

I'm at home now, (UK time coming up to 9pm) so i can't plug my laptop back in to see a change.

ITTEST#sh ip int br | i Vlan

Vlan1 172.30.59.1 YES NVRAM up down

Vlan2 unassigned YES unset up down

Vlan100 10.30.59.1 YES NVRAM up down

Vlan666 192.168.1.139 YES NVRAM up up

What can i do to change the protocol state?

Damien Silman · ‎11-11-2013

additionally, I'm on the firmware that enables 2 vlans not 4, the vlan 100 and vlan 2 are not required in this set up (currently) I will need to get a third vlan in their but I can load a different firmware when this is complete and working to achieve that.

Leo Laohoo · ‎11-11-2013

additionally, I'm on the firmware that enables 2 vlans not 4, the vlan 100 and vlan 2 are not required in this set up (currently) I will need to get a third vlan in their but I can load a different firmware when this is complete and working to achieve that.

870 routers, when loaded with IOS version 12.4, can only support 2 VLANs. If you want to load between 3 to 10 VLANs, you need to downgrade to IOS version 12.3.

Make sure you've created VLAN entries in the VLAN database.

Damien Silman · ‎11-11-2013

Hi Leo,

From the sh ip int br | i Vlan command that Alain suggested I can see:

ITTEST#sh ip int br | i Vlan

Vlan1 172.30.59.1 YES NVRAM up down

Vlan2 unassigned YES unset administratively down down

Vlan100 10.30.59.1 YES NVRAM administratively down down

Vlan666 192.168.1.139 YES NVRAM up up

I no longer require vlan2 or vlan 100 in this config, but I am currently connected remotely. If I was on site with this device I would erase the vlan.dat, reload the device, and set the vlans up from scratch.

If I did that currently though, I would lose the connection I am currently using though VLAN 666.

Any suggestions on how to achieve this nicely? Or should I just bite the bullet and wait until I'm back on site?

Thanks,

Damien Silman · ‎11-11-2013

ITTEST(vlan)#no vlan 100

VLAN 100 does not exist

ITTEST(vlan)#no vlan 2

VLAN 2 does not exist

ITTEST(vlan)#show

VLAN ISL Id: 1

Name: default

Media Type: Ethernet

VLAN 802.10 Id: 100001

State: Operational

MTU: 1500

Translational Bridged VLAN: 1002

Translational Bridged VLAN: 1003

VLAN ISL Id: 666

Name: VLAN0666

Media Type: Ethernet

VLAN 802.10 Id: 100666

State: Operational

MTU: 1500

VLAN ISL Id: 1002

Name: fddi-default

Media Type: FDDI

VLAN 802.10 Id: 101002

State: Operational

MTU: 1500

Bridge Type: SRB

Translational Bridged VLAN: 1

Translational Bridged VLAN: 1003

VLAN ISL Id: 1003

Name: token-ring-default

Media Type: Token Ring

VLAN 802.10 Id: 101003

State: Operational

MTU: 1500

Bridge Type: SRB

Ring Number: 0

Bridge Number: 1

Parent VLAN: 1005

Maximum ARE Hop Count: 7

Maximum STE Hop Count: 7

Backup CRF Mode: Disabled

Translational Bridged VLAN: 1

Translational Bridged VLAN: 1002

VLAN ISL Id: 1004

Name: fddinet-default

Media Type: FDDI Net

VLAN 802.10 Id: 101004

State: Operational

MTU: 1500

Bridge Type: SRB

Bridge Number: 1

STP Type: IBM

VLAN ISL Id: 1005

Name: trnet-default

Media Type: Token Ring Net

VLAN 802.10 Id: 101005

State: Operational

MTU: 1500

Bridge Type: SRB

Bridge Number: 1

STP Type: IBM

Leo Laohoo · ‎11-11-2013

I no longer require vlan2 or vlan 100 in this config

So all you do is:

conf t

no interface VLAN 2

no interface VLAN 100

end

cadet alain · ‎11-12-2013

Hi,

if you got nothing connected to a port in vlan1 then the SVI line protocol will stay down and so you won't be able to source any IP traffic from it.

Regards

Alain

Don't forget to rate helpful posts.

Damien Silman · ‎11-12-2013

Ok, so I'm back on site with the 877; I deleted the vlan.dat (as it still wouldn't let go of VLAN 100 and VLAN 2, relaoded, recreated.

I'm still at the same point:

ITTEST#show ip int br | i Vlan

Vlan1 172.30.59.1 YES manual up up

Vlan666 192.168.1.139 YES NVRAM up up (laptop now connected)

vlan 1 can ping vlan 666 but not the ISP router/modem beyond it on 192.168.1.254; config reads:

Current configuration : 4034 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname ITTEST

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 10240

logging console critical

enable secret

enable password

!

no aaa new-model

clock timezone GMT 0

clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00

!

dot11 syslog

no ip source-route

ip dhcp excluded-address 172.30.59.1 172.30.59.100

!

ip dhcp pool dhcppool

import all

network 172.30.59.0 255.255.255.0

default-router 172.30.59.1

dns-server 172.30.59.1 172.20.0.120 172.20.0.121

domain-name gratte.com

update arp

!

ip cef

ip domain name gratte.com

ip name-server 192.168.1.254

ip name-server 172.20.0.120

ip name-server 172.20.0.121

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key address xxx.xxx.xxx.xxx no-xauth

!

crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac

!

crypto ipsec profile IPSEC-VPN

set transform-set 3DESSHA

!

archive

log config

hidekeys

!

interface Tunnel0

description --- IPSec Tunnel to KX ---

ip address 172.30.60.1 255.255.255.0

ip ospf mtu-ignore

load-interval 30

tunnel source Vlan1

tunnel destination xxx.xxx.xxx.xxx

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC-VPN

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface FastEthernet0

description DATA

spanning-tree portfast

!

interface FastEthernet1

description VOICE

switchport access vlan 100

switchport voice vlan 100

spanning-tree portfast

!

interface FastEthernet2

shutdown

!

interface FastEthernet3

switchport access vlan 666

no cdp enable

spanning-tree portfast

!

interface Vlan1

ip address 172.30.59.1 255.255.255.252

ip nat inside

ip virtual-reassembly

!

interface Vlan666

ip address 192.168.1.139 255.255.255.0

ip nat outside

ip virtual-reassembly

!

interface Dialer0

no ip address

!

ip default-gateway 192.168.1.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.1.254

ip route 10.20.0.0 255.255.0.0 Tunnel0

ip route 10.21.0.0 255.255.0.0 Tunnel0

ip route 64.156.192.220 255.255.255.255 Tunnel0

ip route 64.156.192.245 255.255.255.255 Tunnel0

ip route 74.50.50.16 255.255.255.255 Tunnel0

ip route 74.50.63.14 255.255.255.255 Tunnel0

ip route 172.16.0.0 255.240.0.0 Tunnel0

ip route 172.30.59.0 255.255.255.0 Vlan1

no ip http server

no ip http secure-server

!

ip dns server

ip nat source list 100 interface Vlan666 overload

!

access-list 100 permit ip 172.30.59.0 0.0.0.255 any

!

snmp-server community RO

snmp-server community RW

!

control-plane

!

line con 0

password

login

no modem enable

line aux 0

line vty 0 4

password

login

!

scheduler max-task-time 5000

ntp server 72.8.140.222

ntp server 172.20.0.120

ntp server 172.20.0.121

end

Damien Silman · ‎11-12-2013

ITTEST#ping 192.168.1.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.254 (ISP router/modem), timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

ITTEST#ping 172.30.59.123

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.30.59.123 (my laptop on VLAN1), timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

ITTEST#ping 192.168.1.254 source vlan666

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.254 (ISP router/modem), timeout is 2 seconds:

Packet sent with a source address of 192.168.1.139

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

ITTEST#ping 192.168.1.254 source vlan1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.254 (ISP router/modem from VLAN1), timeout is 2 seconds:

Packet sent with a source address of 172.30.59.1

.....

Success rate is 0 percent (0/5)

cadet alain · ‎11-12-2013

Hi,

try the ping from the pc in vlan 1 and verify you have a nat translation with sh ip nat translation

if it ain't working then can you do this:

access-list 199 permit icmp any any

do debug ip nat 199

do debug ip pack 199

and post debug output while pinging from host in vlan 1

Regards

Alain

Don't forget to rate helpful posts.

Damien Silman · ‎11-12-2013

Hi,

Debugging is my main weak point on Cisco routers...

It wouldn't let me set do debug ip nat 199, so i jsut did general do debug ip nat

do debug ip pack 199 went through fine

I try to ping 192.168.1.254 or anything on the net from the laptop, the router gives me no debugging information.

If I ping 172.30.59.1 or 192.168.1.139 (router VLAN1 and VLAN666 IPs) I get the below:

01:09:46: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1, len 60, input feature, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:46: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1, len 60, input feature, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:46: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1, len 60, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:46: IP: tableid=0, s=172.30.59.123 (Vlan1), d=172.30.59.1 (Vlan1), routed via RIB

01:09:46: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1 (Vlan1), len 60, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:46: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1 (Vlan1), len 60, rcvd 3

01:09:46: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1, len 60, stop process pak for forus packet

01:09:46: IP: s=172.30.59.1 (local), d=172.30.59.123, len 60, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:46: IP: s=172.30.59.1 (local), d=172.30.59.123 (Vlan1), len 60, sending

01:09:46: IP: s=172.30.59.1 (local), d=172.30.59.123 (Vlan1), len 60, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:46: IP: s=172.30.59.1 (local), d=172.30.59.123 (Vlan1), len 60, sending full packet

01:09:47: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1, len 60, input feature, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:47: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1, len 60, input feature, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:47: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1, len 60, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:47: IP: tableid=0, s=172.30.59.123 (Vlan1), d=172.30.59.1 (Vlan1), routed via RIB

01:09:47: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1 (Vlan1), len 60, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:47: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1 (Vlan1), len 60, rcvd 3

01:09:47: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1, len 60, stop process pak for forus packet

01:09:47: IP: s=172.30.59.1 (local), d=172.30.59.123, len 60, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:47: IP: s=172.30.59.1 (local), d=172.30.59.123 (Vlan1), len 60, sending

01:09:47: IP: s=172.30.59.1 (local), d=172.30.59.123 (Vlan1), len 60, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:47: IP: s=172.30.59.1 (local), d=172.30.59.123 (Vlan1), len 60, sending full packet

01:09:48: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1, len 60, input feature, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:48: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1, len 60, input feature, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:48: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1, len 60, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:48: IP: tableid=0, s=172.30.59.123 (Vlan1), d=172.30.59.1 (Vlan1), routed via RIB

01:09:48: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1 (Vlan1), len 60, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:48: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1 (Vlan1), len 60, rcvd 3

01:09:48: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1, len 60, stop process pak for forus packet

01:09:48: IP: s=172.30.59.1 (local), d=172.30.59.123, len 60, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:48: IP: s=172.30.59.1 (local), d=172.30.59.123 (Vlan1), len 60, sending

01:09:48: IP: s=172.30.59.1 (local), d=172.30.59.123 (Vlan1), len 60, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:48: IP: s=172.30.59.1 (local), d=172.30.59.123 (Vlan1), len 60, sending full packet

01:09:49: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1, len 60, input feature, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:49: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1, len 60, input feature, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:49: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1, len 60, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:49: IP: tableid=0, s=172.30.59.123 (Vlan1), d=172.30.59.1 (Vlan1), routed via RIB

01:09:49: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1 (Vlan1), len 60, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:49: IP: s=172.30.59.123 (Vlan1), d=172.30.59.1 (Vlan1), len 60, rcvd 3

01:09:49: IP: s=172.30.59.123 (Vlan1),

ITTEST(config)#d=172.30.59.1, len 60, stop process pak for forus packet

01:09:49: IP: s=172.30.59.1 (local), d=172.30.59.123, len 60, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:49: IP: s=172.30.59.1 (local), d=172.30.59.123 (Vlan1), len 60, sending

01:09:49: IP: s=172.30.59.1 (local), d=172.30.59.123 (Vlan1), len 60, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:09:49: IP: s=172.30.59.1 (local), d=172.30.59.123 (Vlan1), len 60, sending full packet

ITTEST(config)#

01:10:01: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, input feature, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:01: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, input feature, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:01: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:01: IP: tableid=0, s=172.30.59.123 (Vlan1), d=192.168.1.139 (Vlan666), routed via RIB

01:10:01: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139 (Vlan666), len 60, output feature, Post-routing NAT Outside(17), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:01: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, rcvd 4

01:10:01: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, stop process pak for forus packet

01:10:01: IP: s=192.168.1.139 (local), d=172.30.59.123, len 60, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:01: IP: s=192.168.1.139 (local), d=172.30.59.123 (Vlan1), len 60, sending

01:10:01: IP: s=192.168.1.139 (local), d=172.30.59.123 (Vlan1), len 60, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:01: IP: s=192.168.1.139 (local), d=172.30.59.123 (Vlan1), len 60, sending full packet

01:10:02: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, input feature, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:02: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, input feature, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:02: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:02: IP: tableid=0, s=172.30.59.123 (Vlan1), d=192.168.1.139 (Vlan666), routed via RIB

01:10:02: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139 (Vlan666), len 60, output feature, Post-routing NAT Outside(17), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:02: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, rcvd 4

01:10:02: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, stop process pak for forus packet

01:10:02: IP: s=192.168.1.139 (local), d=172.30.59.123, len 60, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:02: IP: s=192.168.1.139 (local), d=172.30.59.123 (Vlan1), len 60, sending

01:10:02: IP: s=192.168.1.139 (local), d=172.30.59.123 (Vlan1), len 60, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:02: IP: s=192.168.1.139 (local), d=172.30.59.123 (Vlan1), len 60, sending full packet

01:10:03: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, input feature, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:03: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, input feature, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:03: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:03: IP: tableid=0, s=172.30.59.123 (Vlan1), d=192.168.1.139 (Vlan666), routed via RIB

01:10:03: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139 (Vlan666), len 60, output feature, Post-routing NAT Outside(17), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:03: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, rcvd 4

01:10:03: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, stop process pak for forus packet

01:10:03: IP: s=192.168.1.139 (local), d=172.30.59.123, len 60, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:03: IP: s=192.168.1.139 (local), d=172.30.59.123 (Vlan1), len 60, sending

01:10:03: IP: s=192.168.1.139 (local), d=172.30.59.123 (Vlan1), len 60, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:03: IP: s=192.168.1.139 (local), d=172.30.59.123 (Vlan1), len 60, sending full packet

01:10:04: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, input feature, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:04: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, input feature, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:04: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:04: IP: tableid=0, s=172.30.59.123 (Vlan1), d=192.168.1.139 (Vlan666), routed via RIB

01:10:04: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139 (Vlan666), len 60, output feature, Post-routing NAT Outside(17), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:04: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, rcvd 4

01:10:04: IP: s=172.30.59.123 (Vlan1), d=192.168.1.139, len 60, stop process pak for forus packet

01:10:04: IP: s=192.168.1.139 (local), d=172.30.59.123, len 60, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:04: IP: s=192.168.1.139 (local), d=172.30.59.123 (Vlan1), len 60, sending

01:10:04: IP: s=192.168.1.139 (local), d=172.30.59.123 (Vlan1), len 60, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

01:10:04: IP: s=192.168.1.139 (local), d=172.30.59.123 (Vlan1), len 60, sending full packet