cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
932
Views
0
Helpful
1
Replies

Drop-reason: (acl-drop)

parvejkhan2009
Level 1
Level 1
Hi all,
currently i am facing one problem, i replaced one ip address with new  one in interesting traffic list for my site to site VPN. and now its not  working. any guess. logs below:-

ASA-PROD/act# packet-tracer input inside tcp 172.25.20.53 12452 10.122.233$

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:      
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 4     
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:      
Additional Information:
in   172.25.0.0      255.255.0.0     inside

Phase: 5     
Type: ACCESS-LIST
Subtype: log 
Result: ALLOW
Config:      
access-group Inside_acl in interface inside
access-list Inside_acl extended permit ip 172.25.20.0 255.255.255.0 host 10.122.233.194
Additional Information:

Phase: 6     
Type: IP-OPTIONS
Subtype:     
Result: ALLOW
Config:      
Additional Information:

Phase: 7     
Type: FOVER  
Subtype: standby-update
Result: ALLOW
Config:      
Additional Information:

Phase: 8     
Type: NAT-EXEMPT
Subtype:     
Result: ALLOW
Config:      
nat-control  
match ip inside 172.25.20.0 255.255.255.0 outside host 10.122.233.194
NAT exempt
translate_hits = 546, untranslate_hits = 0
Additional Information:

Phase: 9     
Type: NAT    
Subtype:     
Result: ALLOW
Config:      
nat (inside) 2 172.25.20.0 255.255.255.0
nat-control  
match ip inside 172.25.20.0 255.255.255.0 outside any
dynamic translation to pool 2 (216.148.217.126)
translate_hits = 16997497, untranslate_hits = 1520236
Additional Information:

Phase: 10    
Type: NAT    
Subtype: host-limits
Result: ALLOW
Config:      
nat (inside) 2 172.25.20.0 255.255.255.0
nat-control  
match ip inside 172.25.20.0 255.255.255.0 outside any
dynamic translation to pool 2 (216.148.217.126)
translate_hits = 16997497, untranslate_hits = 1520236
Additional Information:

Phase: 11    
Type: VPN    
Subtype: encrypt
Result: DROP 
Config:      
Additional Information:

Result:      
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop 
Drop-reason: (acl-drop) Flow is denied by configured rule

1 Reply 1

Dear Parvej Khan,

Can you pleasse post the configuration of before and after change. Remember to remove the password and sensitive data if included.

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: