12-06-2022 05:48 AM
Dec 6 11:23:21.642: %FW-6-DROP_PKT: Dropping udp session 172.20.34.14:55599 8.8.8.8:53 on zone-pair inside-to-vpn class class-default due to DROP action found in policy-map with ip ident 0
*Dec 6 11:24:06.219: %FW-6-LOG_SUMMARY: 1 packet were dropped from 172.20.34.14:55599 => 8.8.8.8:53 (target:class)-(inside-to-vpn:class-default)
*Dec 6 11:24:11.043: %FW-6-DROP_PKT: Dropping udp session 172.20.34.12:50406 1.1.1.1:53 on zone-pair inside-to-vpn class class-default due to DROP action found in policy-map with ip ident 0
*Dec 6 11:24:46.528: %FW-6-DROP_PKT: Dropping udp session 172.20.34.14:59608 8.8.8.8:53 on zone-pair inside-to-vpn class class-default due to DROP action found in policy-map with ip ident 0
*Dec 6 11:24:56.808: %SYS-5-CONFIG_I: Configured from console by imran on vty0 (172.20.17.43)
*Dec 6 11:25:06.152: %FW-6-LOG_SUMMARY: 1 packet were dropped from 172.20.34.12:50406 => 1.1.1.1:53 (target:class)-(inside-to-vpn:class-default)
*Dec 6 11:25:06.152: %FW-6-LOG_SUMMARY: 1 packet were dropped from 172.20.34.12:59718 => 8.8.8.8:53 (target:class)-(inside-to-vpn:class-default)
*Dec 6 11:25:06.152: %FW-6-LOG_SUMMARY: 1 packet were dropped from 172.20.34.12:59719 => 9.9.9.9:53 (target:class)-(inside-to-vpn:class-default)
i have following conf
ip name-server 9.9.9.9
zone security inside
zone security outside
zone security vpn
zone-pair security inside-to-outside source inside destination outside
service-policy type inspect Policy-inside-to-outside
zone-pair security inside-to-vpn source inside destination vpn
service-policy type inspect Policy-inside-to-vpn
zone-pair security vpn-to-inside source vpn destination inside
service-policy type inspect Policy-vpn-to-inside
zone-pair security outside-to-inside source outside destination inside
interface FastEthernet8
ip address 192.168.8.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
!
interface Vlan1
ip address 172.20.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
ip tcp adjust-mss 1452
ip route 0.0.0.0 0.0.0.0 192.168.8.1
ip access-list extended ACL-INSIDE-TO-OUTSIDE
permit tcp any any eq 888
permit icmp any any
deny ip any any
ip access-list extended ACL-INSIDE-TO-VPN
permit ip any host 172.20.49.71
permit ip any host 10.20.11.2
deny udp any any eq domain
permit ip any any
ip access-list extended ACL-VPN-TO-INSIDE
permit ip 192.168.1.0 0.0.0.255 any
permit ip 172.20.49.0 0.0.0.255 any
permit ip 10.20.11.0 0.0.0.255 any
ip access-list extended ACL-outside-TO-self
permit ip any any
permit udp any any
permit tcp any any eq 22
ip access-list extended ACL-self-TO-outside
permit ip any any
permit gre any any
permit icmp any any
ip access-list extended NAT
permit ip 172.20.34.0 0.0.0.255 any
why i am unable to surf internet. why my packets are being dropped. I have same configuration on second router and it is working fine. anybody help
Solved! Go to Solution.
12-06-2022 06:25 AM - edited 12-06-2022 06:27 AM
high level you have NAT ACL :
ip access-list extended NAT
permit ip 172.20.34.0 0.0.0.255 any
but i do not see NAT statement :
example :
ip nat inside source list NAT interface XXXXX overload
12-06-2022 06:22 AM
ip access-list extended ACL-self-TO-outside <<- this meaning you not use default behave of self Zone,
can you share the config of policy-map you use for self ?
12-10-2022 12:31 AM
ip access-list extended ACL-outside-TO-self
permit ip any any
permit udp any any
ip access-list extended ACL-self-TO-outside
permit ip any any
permit gre any any
permit icmp any any
12-06-2022 06:25 AM - edited 12-06-2022 06:27 AM
high level you have NAT ACL :
ip access-list extended NAT
permit ip 172.20.34.0 0.0.0.255 any
but i do not see NAT statement :
example :
ip nat inside source list NAT interface XXXXX overload
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide