Hi all,
currently i am facing one problem, i replaced one ip address with new one in interesting traffic list for my site to site VPN. and now its not working. any guess. logs below:-
ASA-PROD/act# packet-tracer input inside tcp 172.25.20.53 12452 10.122.233$
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.25.0.0 255.255.0.0 inside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_acl in interface inside
access-list Inside_acl extended permit ip 172.25.20.0 255.255.255.0 host 10.122.233.194
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip inside 172.25.20.0 255.255.255.0 outside host 10.122.233.194
NAT exempt
translate_hits = 546, untranslate_hits = 0
Additional Information:
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 2 172.25.20.0 255.255.255.0
nat-control
match ip inside 172.25.20.0 255.255.255.0 outside any
dynamic translation to pool 2 (216.148.217.126)
translate_hits = 16997497, untranslate_hits = 1520236
Additional Information:
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 2 172.25.20.0 255.255.255.0
nat-control
match ip inside 172.25.20.0 255.255.255.0 outside any
dynamic translation to pool 2 (216.148.217.126)
translate_hits = 16997497, untranslate_hits = 1520236
Additional Information:
Phase: 11
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule