Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1765
Views
10
Helpful
15
Replies

ASA not Able to Ping Routed Network

joematrix77
Level 1
Level 1

‎02-24-2023 09:36 AM

Hey Guys,

I've been banging my head against the wall for a few days, so I figured I'd ask the experts.

I currently have an issue where I can't connect to subnets on the other side of a L3 switch it is a SG300 updated to the latest firmware. From the switch I can ping the firewall and the inside networks but for the life of me I can't figure out how to get a connection from the ASA to the networks. Here are my configs, is there something I am missing? 

ASA Version 9.16(1)
!
hostname mnASAv
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
!
license smart
 feature tier standard
 throughput level 1G
names
no mac-address auto
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.100
 vlan 100
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/1.105
 vlan 105
 nameif TRANS_V105
 security-level 100
 no ip address
!
interface GigabitEthernet0/1.109
 nve-only
 vlan 109
 nameif VTEP_109
 security-level 100
 ip address 192.168.109.1 255.255.255.0
!
interface GigabitEthernet0/1.110
 nve-only
 vlan 110
 nameif VTEP_110
 security-level 100
 ip address 192.168.110.1 255.255.255.0
!
interface GigabitEthernet0/8
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/8.443
 vlan 443
 nameif TRANS_DMZ_EXT
 security-level 100
 ip address 192.168.43.1 255.255.255.0
!
interface GigabitEthernet0/8.444
 vlan 444
 nameif TRANS_DMZ_INT
 security-level 100
 ip address 192.168.44.1 255.255.255.0
!
interface Management0/0
 no management-only
 nameif management
 security-level 0
 no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
object network TRANS_DMZ_INT
 host 10.4.44.0
object network TRANS_DMZ_EXT
 host 10.4.43.0
object network TRANS_V105
 host 172.16.10.0
object network TRANS_DMZ_To_NSX_V444
 subnet 10.4.44.0 255.255.255.0
object network TRANS_DMZ_To_NSX_443
 subnet 10.4.43.0 255.255.255.0
object network TRANS_V105_To_NSX_105
 subnet 172.16.10.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp destination eq bgp
 service-object ip
object-group service DM_INLINE_SERVICE_2
 service-object icmp
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp destination eq bgp
 service-object ip
object-group service DM_INLINE_SERVICE_3
 service-object icmp
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp destination eq bgp
 service-object ip
access-list outside_access_in extended permit ip any any
access-list TRANS_DMZ_EXT_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list TRANS_DMZ_INT_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
access-list TRANS_V105_access_in extended permit object-group DM_INLINE_SERVICE_3 any any
pager lines 23
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu TRANS_V105 1500
mtu VTEP_109 1500
mtu VTEP_110 1500
mtu TRANS_DMZ_INT 1500
mtu TRANS_DMZ_EXT 1500
mtu outside 1500
no failover
no failover wait-disable
no monitor-interface inside
no monitor-interface TRANS_V105
no monitor-interface VTEP_109
no monitor-interface VTEP_110
no monitor-interface TRANS_DMZ_INT
no monitor-interface TRANS_DMZ_EXT
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
!
object network TRANS_DMZ_To_NSX_V444
 nat (any,TRANS_DMZ_INT) static interface
object network TRANS_DMZ_To_NSX_443
 nat (any,TRANS_DMZ_EXT) static interface
object network TRANS_V105_To_NSX_105
 nat (any,TRANS_V105) static interface
!
nat (inside,outside) after-auto source dynamic any interface
nat (inside,TRANS_DMZ_INT) after-auto source dynamic any interface
nat (TRANS_DMZ_EXT,outside) after-auto source dynamic any interface
nat (TRANS_DMZ_INT,outside) after-auto source dynamic any interface
nat (TRANS_V105,outside) after-auto source dynamic any interface
nat (inside,TRANS_V105) after-auto source dynamic any interface
access-group TRANS_V105_access_in in interface TRANS_V105
access-group TRANS_DMZ_INT_access_in in interface TRANS_DMZ_INT
access-group TRANS_DMZ_EXT_access_in in interface TRANS_DMZ_EXT
access-group outside_access_in in interface outside
router bgp 100
 bgp log-neighbor-changes
 address-family ipv4 unicast
  neighbor 192.168.43.10 remote-as 400
  neighbor 192.168.43.10 activate
  neighbor 192.168.44.10 remote-as 200
  neighbor 192.168.44.10 activate
  neighbor 192.168.105.10 remote-as 300
  neighbor 192.168.105.10 activate
  neighbor 192.168.43.11 remote-as 400
  neighbor 192.168.43.11 activate
  neighbor 192.168.44.11 remote-as 200
  neighbor 192.168.44.11 activate
  neighbor 192.168.105.11 remote-as 300
  neighbor 192.168.105.11 activate
  network 192.168.43.0
  network 192.168.44.0
  network 192.168.105.0
  no auto-summary
  no synchronization
 exit-address-family
!
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route TRANS_DMZ_EXT 10.4.43.0 255.255.255.255 192.168.43.2 1
route TRANS_DMZ_INT 10.4.44.0 255.255.255.255 192.168.44.2 1
route TRANS_V105 172.16.10.0 255.255.255.255 172.16.10.2 1
!
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
!
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh 192.168.1.0 255.255.255.0 management
ssh 192.168.0.0 255.255.255.0 inside
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect ip-options
  inspect netbios
  inspect rtsp
  inspect sunrpc
  inspect tftp
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect esmtp
  inspect sqlnet
  inspect sip  
  inspect skinny
  inspect snmp
policy-map type inspect dns migrated_dns_map_2
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
!
service-policy global_policy global
prompt hostname context
!
jumbo-frame reservation
!
------------------------------------------------------------------------------------
SG300
mnSwitch-01
v1.4.11.5 / R800_NIK_1_4_220_026
CLI v1.0
set system mode router
!
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end
!
port jumbo-frame
vlan database
default-vlan vlan 99
exit
vlan database
vlan 1,100,105,109-113,250,443-444
exit
!
ip access-list extended Deny_DMZ_EXT
permit ip 10.4.43.0 0.0.0.255 192.168.0.1 0.0.0.0 ace-priority 20
deny ip 10.4.43.0 0.0.0.255 192.168.0.0 0.0.0.255 ace-priority 40
permit ip any any ace-priority 60
exit
hostname mnSwitch-01
ip ssh server
no ip http server
ip domain name xyz.com
ip name-server  192.168.0.83 192.168.0.105
!
interface vlan 1
 shutdown
!
interface vlan 99
 name out-of-band-management
 ip address 192.168.99.254 255.255.255.0
!
interface vlan 100
 name Management
 ip address 192.168.0.254 255.255.255.0
!
interface vlan 105
 ip address 192.168.105.254 255.255.255.0
!
interface vlan 109
 name VTEP_109_NSX_EDGE_NET
 ip address 192.168.109.254 255.255.255.0
!
interface vlan 110
 name VTEP_110_NSX_EDGE_NET
 ip address 192.168.110.254 255.255.255.0
!
interface vlan 111
 name Fault_Tolerance
 ip address 10.10.111.254 255.255.255.0
!
interface vlan 112
 name vMotion
 ip address 10.10.112.254 255.255.255.0
!
interface vlan 113
 name Replication
 ip address 10.10.113.254 255.255.255.0
!
interface vlan 250
 name iSCSI
 ip address 10.10.250.254 255.255.255.0
!
interface vlan 443
 name DMZ_EXT
 ip address 192.168.43.254 255.255.255.0
 no snmp trap link-status
!
interface vlan 444
 name DMZ_INT
 ip address 192.168.44.254 255.255.255.0
!
interface gigabitethernet1
 spanning-tree portfast
 switchport trunk allowed vlan add 100,105,109-113,250,443-444
 no macro auto smartport
!
interface gigabitethernet2
 spanning-tree portfast
 switchport trunk allowed vlan add 100,105,109-113,250,443-444
 no macro auto smartport
!
interface gigabitethernet3
 spanning-tree portfast
 switchport trunk allowed vlan add 100,105,109-113,250,443-444
 no macro auto smartport
!
interface gigabitethernet4
 spanning-tree portfast
 switchport trunk allowed vlan add 100,105,109-113,250,443-444
 no macro auto smartport
!
interface gigabitethernet5
 spanning-tree portfast
 switchport trunk allowed vlan add 100,105,109-113,250,443-444
 no macro auto smartport
!
interface gigabitethernet6
 spanning-tree portfast
 switchport trunk allowed vlan add 100,105,109-113,250,443-444
 no macro auto smartport
!
interface gigabitethernet7
 spanning-tree portfast
 switchport trunk allowed vlan add 100,105,109-113,250,443-444
 no macro auto smartport
!
interface gigabitethernet8
 spanning-tree portfast
 switchport trunk allowed vlan add 100,105,109-113,250,443-444
 no macro auto smartport
!
interface gigabitethernet9
 spanning-tree portfast
 switchport mode access
 no macro auto smartport
!
interface gigabitethernet10
 spanning-tree portfast
 switchport mode access
 switchport access vlan 100
 no macro auto smartport
!
exit
ip default-gateway 192.168.0.1
ip route 10.4.43.0 /24 192.168.43.2
ip route 10.4.44.0 /24 192.168.44.2
ip route 172.16.10.0 /24 192.168.105.2
ip route 192.168.0.0 /24 192.168.0.1
 
Thanks

 

0 Helpful
15 Replies 15

MHM Cisco World
VIP
VIP

‎02-24-2023 09:42 AM

only do

inspection icmp under the global-policy 
that what you need for icmp to pass through 

0 Helpful

joematrix77
Level 1
Level 1
In response to MHM Cisco World

‎02-24-2023 10:14 AM - edited ‎02-24-2023 10:23 AM

That didn't work good catch, I would have kicked myself if it did LOL. Thank you for the quick response.

0 Helpful

MHM Cisco World
VIP
VIP
In response to joematrix77

‎02-24-2023 03:08 PM

OK 
can you use packet tracer and share result here ??

joematrix77
Level 1
Level 1
In response to MHM Cisco World

‎02-25-2023 12:06 PM


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2a1bf960, priority=1, domain=permit, deny=false
hits=5, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=TRANS_DMZ_INT, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.44.2 using egress ifc TRANS_DMZ_INT

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d29a92320, priority=501, domain=permit, deny=true
hits=1, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.44.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=any

Result:
input-interface: TRANS_DMZ_INT
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055556562d33f flow (NA)/NA

0 Helpful

MHM Cisco World
VIP
VIP
In response to joematrix77

‎02-25-2023 01:52 PM

Can I see the packet tracer you use here? 

0 Helpful

joematrix77
Level 1
Level 1
In response to MHM Cisco World

‎02-25-2023 12:30 PM

Capture.PNG

0 Helpful

paul driver
VIP
VIP

‎02-25-2023 01:42 AM - edited ‎02-25-2023 01:43 AM

Hello
To allow traffic in/out of the same interface or between interface with the same security level you need to allow it this manually.

same-security-traffic intra-interface
same-security-traffic inter-interface
 
Also I see you have nat applied but you have all of those statements in section 3 nat, as such most probably will not get serviced correctly, so change the specific nat to be dynamic so to have an higher preference then the default catch auto PAT statement.

nat (inside,outside) after-auto source dynamic any interface
nat (inside,TRANS_DMZ_INT) after-auto source dynamic any interface
nat (TRANS_DMZ_EXT,outside) after-auto source dynamic any interface
nat (TRANS_DMZ_INT,outside) after-auto source dynamic any interface
nat (TRANS_V105,outside) after-auto source dynamic any interface
nat (inside,TRANS_V105) after-auto source dynamic any interface
nat (inside,TRANS_DMZ_INT)  source dynamic any interface
nat (TRANS_DMZ_EXT,outside) source dynamic any interface
nat (TRANS_DMZ_INT,outside) source dynamic any interface
nat (TRANS_V105,outside) source dynamic any interface
nat (inside,TRANS_V105)  source dynamic any interface


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

joematrix77
Level 1
Level 1
In response to paul driver

‎02-25-2023 11:54 AM

Thanks for the response. Still can't get through.

0 Helpful

paul driver
VIP
VIP

‎02-26-2023 01:28 AM

Hello

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP

Apply the following and test:
policy-map global_policy
class inspection_default
inspect icmp

access-group TRANS_DMZ_INT_access_in out interface TRANS_DMZ_INT


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

joematrix77
Level 1
Level 1
In response to paul driver

‎02-26-2023 09:30 AM

Didn't work.

packet-tracer input TRANS_DMZ_INT icmp 10.4.44.1 8 0 192.168.44.1 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.44.1 using egress ifc identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2967b880, priority=120, domain=permit, deny=false
hits=36, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=identity

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2904f510, priority=0, domain=nat-per-session, deny=true
hits=88743, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2967dde0, priority=0, domain=inspect-ip-options, deny=true
hits=6959, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=any

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2967b880, priority=120, domain=permit, deny=false
hits=36, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=identity

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2904f510, priority=0, domain=nat-per-session, deny=true
hits=88744, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2967dde0, priority=0, domain=inspect-ip-options, deny=true
hits=6959, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=any

Phase: 8
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2967b880, priority=120, domain=permit, deny=false
hits=36, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=identity

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2904f510, priority=0, domain=nat-per-session, deny=true
hits=88744, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2967dde0, priority=0, domain=inspect-ip-options, deny=true
hits=6960, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=any

Phase: 11
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d29a92210, priority=208, domain=cluster-redirect, deny=false
hits=1, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=identity

Phase: 12
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2967c640, priority=66, domain=inspect-icmp, deny=false
hits=1, user_data=0x7f8d293de1a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=identity

Phase: 13
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2967d5f0, priority=66, domain=inspect-icmp-error, deny=false
hits=1, user_data=0x7f8d2a215da0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=any

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 93117, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 15
Type: NEXTHOP-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Lookup Nexthop on interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 0.0.0.0 using egress ifc identity

Phase: 16
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop 0.0.0.0 on interface identity
Adjacency :Active
MAC address 0000.0000.0000 hits 48743 reference 1

Result:
input-interface: TRANS_DMZ_INT
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: allow

packet-tracer input TRANS_DMZ_INT icmp 192.168.44.2 8 0 10.4.44.1 detailed


Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 192.168.44.2 using egress ifc TRANS_DMZ_INT

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_INT_444_access_in in interface TRANS_DMZ_INT
access-list DMZ_INT_444_access_in extended permit object-group DM_INLINE_SERVICE_2 192.168.44.0 255.255.255.0 object DMZ_INT
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object tcp destination eq bgp
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2a2e7ea0, priority=13, domain=permit, deny=false
hits=1, user_data=0x7f8d12714280, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.44.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.4.44.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=any

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2904f510, priority=0, domain=nat-per-session, deny=true
hits=88939, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2967dde0, priority=0, domain=inspect-ip-options, deny=true
hits=6984, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=any

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_INT_444_access_in in interface TRANS_DMZ_INT
access-list DMZ_INT_444_access_in extended permit object-group DM_INLINE_SERVICE_2 192.168.44.0 255.255.255.0 object DMZ_INT
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object tcp destination eq bgp
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2a2e7ea0, priority=13, domain=permit, deny=false
hits=1, user_data=0x7f8d12714280, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.44.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.4.44.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=any

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2904f510, priority=0, domain=nat-per-session, deny=true
hits=88940, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2967dde0, priority=0, domain=inspect-ip-options, deny=true
hits=6984, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=any

Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_INT_444_access_in in interface TRANS_DMZ_INT
access-list DMZ_INT_444_access_in extended permit object-group DM_INLINE_SERVICE_2 192.168.44.0 255.255.255.0 object DMZ_INT
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object tcp destination eq bgp
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2a2e7ea0, priority=13, domain=permit, deny=false
hits=1, user_data=0x7f8d12714280, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.44.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.4.44.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=any

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2904f510, priority=0, domain=nat-per-session, deny=true
hits=88940, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2967dde0, priority=0, domain=inspect-ip-options, deny=true
hits=6985, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=any

Phase: 11
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d29441510, priority=70, domain=qos-per-class, deny=false
hits=155478, user_data=0x7f8d294438f0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 12
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d298ea190, priority=70, domain=inspect-icmp, deny=false
hits=1, user_data=0x7f8d2963abf0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=any

Phase: 13
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d2967d5f0, priority=66, domain=inspect-icmp-error, deny=false
hits=2, user_data=0x7f8d2a215da0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=any

Phase: 14
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f8d29441510, priority=70, domain=qos-per-class, deny=false
hits=155479, user_data=0x7f8d294438f0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 15
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f8d2904f510, priority=0, domain=nat-per-session, deny=true
hits=88941, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 16
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f8d2967dde0, priority=0, domain=inspect-ip-options, deny=true
hits=6986, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=any

Phase: 17
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 93333, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 18
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 192.168.44.2 using egress ifc TRANS_DMZ_INT

Phase: 19
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop 192.168.44.2 on interface TRANS_DMZ_INT
Adjacency :Active
MAC address 0050.568b.4aac hits 18 reference 1

Result:
input-interface: TRANS_DMZ_INT
input-status: up
input-line-status: up
output-interface: TRANS_DMZ_INT
output-status: up
output-line-status: up
Action: allow

 

0 Helpful

paul driver
VIP
VIP
In response to joematrix77

‎02-26-2023 11:14 AM

Hello 

192.168.44.1 8 0 10.4.44.1   -  failed 
10.4.44.1 8 0 192.168.44.1 - works

suggest a you need a reverse acl to accommodate the above 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

joematrix77
Level 1
Level 1
In response to paul driver

‎02-26-2023 08:53 PM

That didn't work, I appreciate your time. This is a green field deployment I have no issue blowing out the config. If you have any configuration ideas that you would suggest I am all ears. Thank you.

0 Helpful

joematrix77
Level 1
Level 1
In response to paul driver

‎02-26-2023 10:22 AM

packet-tracer input TRANS_DMZ_INT icmp 192.168.44.1 8 0 10.4.44.1 detailed

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 192.168.44.2 using egress ifc TRANS_DMZ_INT

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8d29a92320, priority=501, domain=permit, deny=true
hits=6, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.44.1, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TRANS_DMZ_INT, output_ifc=any

Result:
input-interface: TRANS_DMZ_INT
input-status: up
input-line-status: up
output-interface: TRANS_DMZ_INT
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055556562d33f flow (NA)/NA

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to joematrix77

‎02-27-2023 01:59 AM

packet-tracer input TRANS_DMZ_INT icmp 192.168.44.1 8 0 10.4.44.1 detailed <<-
are you use IP of interface ?? you must not use IP of interface of ASA 
change the IP and  send to me the packet tracer again 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card