03-05-2024 12:49 AM
Hi al,
I rebuilt a asa5506 on 9.14 but I can't seem to access the internal network over secure connect.
Split tunnel and nat is configure, I see the hit counts and it is getting dropped by acl. Any thoughts?
hs1rt1# sho vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : lchan Index : 844
Assigned IP : 172.16.16.10 Public IP : 73.238.174.219
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 15504 Bytes Rx : 108393
Group Policy : GroupPolicy_svc-ldap Tunnel Group : svc-hstf
Login Time : 08:21:56 UTC Tue Mar 5 2024
Duration : 0h:21m:25s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a850010034c00065e6d624
Security Grp : none
hs1rt1# s sho sho packet-tracer input outside tcp 172.16.16.10 59548 192.168.100.250 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.100.250 using egress ifc prod100
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
<--- More --->
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000558bacaabfc8 flow (NA)/NA
hs1rt1# sho ver
Cisco Adaptive Security Appliance Software Version 9.14(3)
SSP Operating System Version 2.8(1.157)
Device Manager Version 7.20(2)
Compiled on Fri 11-Jun-21 15:39 GMT by builders
System image file is "disk0:/asa9-14-3-lfbff-k8.SPA"
Config file at boot was "startup-config"
hs1rt1 up 4 days 16 hours
Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 1
1: Ext: GigabitEthernet1/1 : address is 5ca6.2d0a.249a, irq 255
2: Ext: GigabitEthernet1/2 : address is 5ca6.2d0a.249b, irq 255
3: Ext: GigabitEthernet1/3 : address is 5ca6.2d0a.249c, irq 255
4: Ext: GigabitEthernet1/4 : address is 5ca6.2d0a.249d, irq 255
5: Ext: GigabitEthernet1/5 : address is 5ca6.2d0a.249e, irq 255
6: Ext: GigabitEthernet1/6 : address is 5ca6.2d0a.249f, irq 255
7: Ext: GigabitEthernet1/7 : address is 5ca6.2d0a.24a0, irq 255
<--- More --->
hs1rt1# sh acc
hs1rt1# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_access_in; 1 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit ip object obj-172.16.16 object obj-192.168.50.0 (hitcnt=0) 0xdaf01e4d
access-list outside_access_in line 1 extended permit ip 172.16.16.0 255.255.255.0 192.168.50.0 255.255.255.0 (hitcnt=0) 0xdaf01e4d
access-list split_tunnel; 5 elements; name hash: 0x3b0c93fe
access-list split_tunnel line 1 standard permit 192.168.100.0 255.255.255.0 (hitcnt=0) 0x14a8b5bd
access-list split_tunnel line 2 standard permit 192.168.80.0 255.255.255.0 (hitcnt=0) 0xffb8a7d4
access-list split_tunnel line 3 standard permit 192.192.100.0 255.255.255.0 (hitcnt=0) 0x2d5afd77
access-list split_tunnel line 4 standard permit 172.30.200.0 255.255.255.0 (hitcnt=0) 0xdd7109fb
access-list split_tunnel line 5 standard permit 192.168.50.0 255.255.255.0 (hitcnt=0) 0x89d7fafc
access-list vpn_acl; 4 elements; name hash: 0x86d8ef38
access-list vpn_acl line 1 extended permit ip 172.16.16.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=0) 0x38981eb0
access-list vpn_acl line 2 extended permit ip 192.168.50.0 255.255.255.0 172.16.16.0 255.255.255.0 (hitcnt=884) 0x94439a68
access-list vpn_acl line 3 extended permit ip 192.168.100.0 255.255.255.0 172.16.16.0 255.255.255.0 (hitcnt=4501) 0x4f1b6aad
access-list vpn_acl line 4 extended permit ip 172.16.16.0 255.255.255.0 192.168.50.0 255.255.255.0 (hitcnt=0) 0x860aef26
```
Solved! Go to Solution.
03-13-2024 02:16 AM
Hi Friend
sorry I make you waiting
the
Phase: 19
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
is meaning that one IPsec Peer have LAN IP same as VPN anyconnect Pool IP
check this point
MHM
03-05-2024 02:00 AM
@hstf_techy when you run packet-tracer you must use an IP address that is not in use by an active client. So please re-run and provide the output for review.
packet-tracer input outside tcp 172.16.16.199 59548 192.168.100.250 80
03-05-2024 04:41 AM
Sure. Here it is -
# packet-tracer input outside tcp 172.16.16.199 59548 192.168.100.250 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.100.250 using egress ifc prod100
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000558bacaabfc8 flow (NA)/NA
# packet-tracer input outside tcp 172.16.16.199 59548 192.168.50.250 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.50.250 using egress ifc serv500
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (serv500,outside) source static any any destination static obj-172.16.16 obj-172.16.16 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface serv500
Untranslate 192.168.50.250/80 to 192.168.50.250/80
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (serv500,outside) source static any any destination static obj-172.16.16 obj-172.16.16 no-proxy-arp route-lookup
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: serv500
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000558bacaabfc8 flow (NA)/NA
03-05-2024 05:45 AM
The NAT command use source any any'
Change it to be <server subnet or host IP>
Then do packet-tracer again and add detail in end of packet tracer
MHM
03-05-2024 06:03 AM
Could you please share the output of the following commands for review?
show run access-group
show run all sysopt
sho vpn-sessiondb det anyconnect
03-05-2024 08:22 AM
@MHM Cisco World
Please see below -
hs1rt1# sh run nat
nat (serv500,outside) source static obj-192.168.50.0 obj-192.168.50.0 destination static obj-172.16.16 obj-172.16.16 no-proxy-arp route-lookup
!
object network obj-192.168.100.0
nat (prod100,outside) dynamic interface
object network obj-172.16.16
nat (outside,outside) dynamic interface
object network obj-192.168.80.0
nat (prod80,outside) dynamic interface
!
nat (prod100,outside) after-auto source dynamic any interface
nat (guest50,outside) after-auto source dynamic any interface
nat (prod80,outside) after-auto source dynamic any interface
nat (voice200,outside) after-auto source dynamic any interface
nat (mgmt800,outside) after-auto source dynamic any interface
hs1rt1# packet-tracer input outside tcp 172.16.16.199 59548 192.168.50.250 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.50.250 using egress ifc serv500
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (serv500,outside) source static obj-192.168.50.0 obj-192.168.50.0 destination static obj-172.16.16 obj-172.16.16 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface serv500
Untranslate 192.168.50.250/80 to 192.168.50.250/80
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (serv500,outside) source static obj-192.168.50.0 obj-192.168.50.0 destination static obj-172.16.16 obj-172.16.16 no-proxy-arp route-lookup
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: serv500
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000558bacaabfc8 flow (NA)/NA
@Aref Alsouqi
hs1rt1# sh run access-group
hs1rt1# sh run all sysopt
no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
no sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp outside
no sysopt noproxyarp guest50
no sysopt noproxyarp prod80
no sysopt noproxyarp prod100
no sysopt noproxyarp voice200
no sysopt noproxyarp serv500
no sysopt noproxyarp mgmt800
no sysopt noproxyarp inside_2
no sysopt noproxyarp inside_3
no sysopt noproxyarp inside_4
no sysopt noproxyarp inside_5
no sysopt noproxyarp inside_6
no sysopt noproxyarp ib-mgmt
no sysopt noproxyarp mgmt
no sysopt noproxyarp inside
hs1rt1# sho vpn-sessiondb det anyconnect
Session Type: AnyConnect Detailed
Username : lchan Index : 1031
Assigned IP : 172.16.16.10 Public IP : 73.238.174.219
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 15504 Bytes Rx : 1212603
Pkts Tx : 12 Pkts Rx : 17463
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : GroupPolicy_svc-ldap Tunnel Group : svc-hstf
Login Time : 09:31:15 UTC Tue Mar 5 2024
Duration : 6h:49m:43s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a850010040700065e6e663
Security Grp : none
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 1031.1
Public IP : 73.238.174.219
Encryption : none Hashing : none
TCP Src Port : 27144 TCP Dst Port : 443
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 0 Minutes
Client OS : win
Client OS Ver: 10.0.19045
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 5.1.2.42
Bytes Tx : 7752 Bytes Rx : 0
Pkts Tx : 6 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
SSL-Tunnel:
Tunnel ID : 1031.2
Assigned IP : 172.16.16.10 Public IP : 73.238.174.219
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384
Encapsulation: TLSv1.2 TCP Src Port : 27152
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 0 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 5.1.2.42
Bytes Tx : 7752 Bytes Rx : 1638
Pkts Tx : 6 Pkts Rx : 21
Pkts Tx Drop : 0 Pkts Rx Drop : 0
DTLS-Tunnel:
Tunnel ID : 1031.3
Assigned IP : 172.16.16.10 Public IP : 73.238.174.219
Encryption : AES256 Hashing : SHA1
Ciphersuite : AES256-SHA
Encapsulation: DTLSv1.0 UDP Src Port : 54843
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 5.1.2.42
Bytes Tx : 0 Bytes Rx : 1211087
Pkts Tx : 0 Pkts Rx : 17444
Pkts Tx Drop : 0 Pkts Rx Drop : 0
03-06-2024 09:49 PM
Added the following get it further but connectivity still not passing through. Any thoughts?
@hstf_techy wrote:Hi al,
I rebuilt a asa5506 on 9.14 but I can't seem to access the internal network over secure connect.
Split tunnel and nat is configure, I see the hit counts and it is getting dropped by acl. Any thoughts?
hs1rt1# sho vpn-sessiondb anyconnectSession Type: AnyConnect
Username : lchan Index : 844
Assigned IP : 172.16.16.10 Public IP : 73.238.174.219
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 15504 Bytes Rx : 108393
Group Policy : GroupPolicy_svc-ldap Tunnel Group : svc-hstf
Login Time : 08:21:56 UTC Tue Mar 5 2024
Duration : 0h:21m:25s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a850010034c00065e6d624
Security Grp : none
hs1rt1# s sho sho packet-tracer input outside tcp 172.16.16.10 59548 192.168.100.250 80Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.100.250 using egress ifc prod100Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:<--- More --->
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000558bacaabfc8 flow (NA)/NA
hs1rt1# sho verCisco Adaptive Security Appliance Software Version 9.14(3)
SSP Operating System Version 2.8(1.157)
Device Manager Version 7.20(2)Compiled on Fri 11-Jun-21 15:39 GMT by builders
System image file is "disk0:/asa9-14-3-lfbff-k8.SPA"
Config file at boot was "startup-config"hs1rt1 up 4 days 16 hours
Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KBEncryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 11: Ext: GigabitEthernet1/1 : address is 5ca6.2d0a.249a, irq 255
2: Ext: GigabitEthernet1/2 : address is 5ca6.2d0a.249b, irq 255
3: Ext: GigabitEthernet1/3 : address is 5ca6.2d0a.249c, irq 255
4: Ext: GigabitEthernet1/4 : address is 5ca6.2d0a.249d, irq 255
5: Ext: GigabitEthernet1/5 : address is 5ca6.2d0a.249e, irq 255
6: Ext: GigabitEthernet1/6 : address is 5ca6.2d0a.249f, irq 255
7: Ext: GigabitEthernet1/7 : address is 5ca6.2d0a.24a0, irq 255
<--- More --->hs1rt1# sh acc
hs1rt1# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_access_in; 1 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit ip object obj-172.16.16 object obj-192.168.50.0 (hitcnt=0) 0xdaf01e4d
access-list outside_access_in line 1 extended permit ip 172.16.16.0 255.255.255.0 192.168.50.0 255.255.255.0 (hitcnt=0) 0xdaf01e4d
access-list split_tunnel; 5 elements; name hash: 0x3b0c93fe
access-list split_tunnel line 1 standard permit 192.168.100.0 255.255.255.0 (hitcnt=0) 0x14a8b5bd
access-list split_tunnel line 2 standard permit 192.168.80.0 255.255.255.0 (hitcnt=0) 0xffb8a7d4
access-list split_tunnel line 3 standard permit 192.192.100.0 255.255.255.0 (hitcnt=0) 0x2d5afd77
access-list split_tunnel line 4 standard permit 172.30.200.0 255.255.255.0 (hitcnt=0) 0xdd7109fb
access-list split_tunnel line 5 standard permit 192.168.50.0 255.255.255.0 (hitcnt=0) 0x89d7fafc
access-list vpn_acl; 4 elements; name hash: 0x86d8ef38
access-list vpn_acl line 1 extended permit ip 172.16.16.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=0) 0x38981eb0
access-list vpn_acl line 2 extended permit ip 192.168.50.0 255.255.255.0 172.16.16.0 255.255.255.0 (hitcnt=884) 0x94439a68
access-list vpn_acl line 3 extended permit ip 192.168.100.0 255.255.255.0 172.16.16.0 255.255.255.0 (hitcnt=4501) 0x4f1b6aad
access-list vpn_acl line 4 extended permit ip 172.16.16.0 255.255.255.0 192.168.50.0 255.255.255.0 (hitcnt=0) 0x860aef26
```
Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.50.250 using egress ifc serv500
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (serv500,outside) source static obj-192.168.50.0 obj-192.168.50.0 destination static obj-172.16.16 obj-172.16.16 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface serv500
Untranslate 192.168.50.250/80 to 192.168.50.250/80
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object obj-172.16.16 object obj-192.168.50.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2e1069df10, priority=13, domain=permit, deny=false
hits=5, user_data=0x7f2e052388c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.16.16.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.50.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (serv500,outside) source static obj-192.168.50.0 obj-192.168.50.0 destination static obj-172.16.16 obj-172.16.16 no-proxy-arp route-lookup
Additional Information:
Static translate 172.16.16.199/59548 to 172.16.16.199/59548
Forward Flow based lookup yields rule:
in id=0x7f2e0c25d670, priority=6, domain=nat, deny=false
hits=122, user_data=0x7f2e10622920, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.16.16.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.50.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=serv500
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2e0c246390, priority=0, domain=nat-per-session, deny=false
hits=2328043, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2e0d5ae6b0, priority=0, domain=inspect-ip-options, deny=true
hits=1899758, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object obj-172.16.16 object obj-192.168.50.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2e1069df10, priority=13, domain=permit, deny=false
hits=5, user_data=0x7f2e052388c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.16.16.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.50.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (serv500,outside) source static obj-192.168.50.0 obj-192.168.50.0 destination static obj-172.16.16 obj-172.16.16 no-proxy-arp route-lookup
Additional Information:
Static translate 172.16.16.199/59548 to 172.16.16.199/59548
Forward Flow based lookup yields rule:
in id=0x7f2e0c25d670, priority=6, domain=nat, deny=false
hits=123, user_data=0x7f2e10622920, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.16.16.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.50.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=serv500
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2e0c246390, priority=0, domain=nat-per-session, deny=false
hits=2328043, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2e0d5ae6b0, priority=0, domain=inspect-ip-options, deny=true
hits=1899758, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 11
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object obj-172.16.16 object obj-192.168.50.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2e1069df10, priority=13, domain=permit, deny=false
hits=5, user_data=0x7f2e052388c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.16.16.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.50.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 12
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (serv500,outside) source static obj-192.168.50.0 obj-192.168.50.0 destination static obj-172.16.16 obj-172.16.16 no-proxy-arp route-lookup
Additional Information:
Static translate 172.16.16.199/59548 to 172.16.16.199/59548
Forward Flow based lookup yields rule:
in id=0x7f2e0c25d670, priority=6, domain=nat, deny=false
hits=123, user_data=0x7f2e10622920, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.16.16.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.50.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=serv500
Phase: 13
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2e0c246390, priority=0, domain=nat-per-session, deny=false
hits=2328044, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 14
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2e0d5ae6b0, priority=0, domain=inspect-ip-options, deny=true
hits=1899758, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 15
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object obj-172.16.16 object obj-192.168.50.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2e1069df10, priority=13, domain=permit, deny=false
hits=5, user_data=0x7f2e052388c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.16.16.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.50.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 16
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (serv500,outside) source static obj-192.168.50.0 obj-192.168.50.0 destination static obj-172.16.16 obj-172.16.16 no-proxy-arp route-lookup
Additional Information:
Static translate 172.16.16.199/59548 to 172.16.16.199/59548
Forward Flow based lookup yields rule:
in id=0x7f2e0c25d670, priority=6, domain=nat, deny=false
hits=123, user_data=0x7f2e10622920, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.16.16.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=192.168.50.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=serv500
Phase: 17
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2e0c246390, priority=0, domain=nat-per-session, deny=false
hits=2328044, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 18
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f2e0d5ae6b0, priority=0, domain=inspect-ip-options, deny=true
hits=1899759, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 19
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: serv500
output-status: up
output-line-status: up
Action: allow
03-13-2024 02:16 AM
Hi Friend
sorry I make you waiting
the
Phase: 19
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
is meaning that one IPsec Peer have LAN IP same as VPN anyconnect Pool IP
check this point
MHM
03-13-2024 06:13 AM
@MHM Cisco World
After adding the NAT rule and noticing packet-tracer to phase 19 I found out the ip I am testing is the culprit. (I was able to ping from ASA so I didn't pay attention) I tested using other ip address in the same subnet and I was able to ping via AnyConnect client. I am all set. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide