# packet-tracer input inside icmp 10.10.10.100 0 0 192.168.1.110 detailed

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x443ad38, priority=0, domain=permit-ip-option, deny=true

        hits=25604, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x4408e90, priority=70, domain=inspect-icmp, deny=false

        hits=77, user_data=0x4408960, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x443cc38, priority=66, domain=inspect-icmp-error, deny=false

        hits=85, user_data=0x443cb68, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 6

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat (inside) 0 access-list nonat

  match ip inside 10.10.10.0 255.255.255.0 outside 192.168.1.0 255.255.255.0

    NAT exempt

    translate_hits = 1, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x44ab350, priority=6, domain=nat-exempt, deny=false

        hits=0, user_data=0x44859a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip=10.10.10.0, mask=255.255.255.0, port=0

        dst ip=192.168.1.0, mask=255.255.255.0, port=0

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 access-list nat

  match ip inside 10.10.10.0 255.255.255.0 outside 10.59.0.0 255.255.255.0

    dynamic translation to pool 1 (10.59.12.1 - 10.59.12.253)

    translate_hits = 384, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x44bcf88, priority=2, domain=host, deny=false

        hits=8135, user_data=0x44be758, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=10.10.10.0, mask=255.255.255.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x41ba0d0, priority=70, domain=encrypt, deny=false

        hits=0, user_data=0x0, cs_id=0x4ae01c0, reverse, flags=0x0, protocol=0

        src ip=10.10.10.0, mask=255.255.255.0, port=0

        dst ip=192.168.1.0, mask=255.255.255.0, port=0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

interface Ethernet0/0

nameif outside

security-level 0

ip address 172.20.1.1 255.255.255.0

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif inside

security-level 100

ip address 172.19.1.2 255.255.255.0

!

!

ftp mode passive

access-list nonat extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat extended permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list cry_acl extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list cry_acl extended permit ip 10.10.10.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list nat extended permit ip 10.16.120.0 255.255.248.0 10.57.0.0 255.255.248.0

access-list nat extended permit ip 10.16.120.0 255.255.248.0 10.11.0.0 255.255.0.0

pager lines 24

logging enable

logging timestamp

logging buffered errors

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any echo inside

icmp permit any echo-reply inside

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (outside) 1 10.59.12.1-10.59.12.253

global (outside) 1 10.59.12.254

nat (inside) 0 access-list nonat

nat (inside) 1 access-list nat

static (inside,outside) 10.59.12.1 10.16.120.36 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 172.20.1.2 1

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 13 match address cry_acl

crypto map outside_map 13 set peer 212.x.16.7x

crypto map outside_map 13 set transform-set myset

crypto map outside_map 13 set security-association lifetime seconds 28800

crypto map outside_map 13 set security-association lifetime kilobytes 4608000

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group 212.x.16.7x type ipsec-l2l

tunnel-group 212.x.16.7x ipsec-attributes

pre-shared-key *

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 30

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 30

ssh version 2

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

Cryptochecksum:c9b2feb1a2c1a6f189b8b02b0bb485b3

: end

Hello Yuliang,

The configuration looks fine, please double check the other peer's configuration, if have the correct [nonat + Crypto ACL for

172.16.1.0], then please reset the Crypto by doing the following:

no crypto map outside_map interface outside

crypto map outside_map interface outside

Please let me know how things go, if you can, also please share the other peers configuration.

Ahmad