Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1337
Views
5
Helpful
1
Replies

Help with Deciphering Packet-tracer Output

iglablues
Level 1
Level 1

‎09-18-2013 08:42 AM

Related to my other question, can someone give a glance at this packet-tracer output and tell me if nat translation looks like it could be a problem for getting traffic from 10.100.0.0 across an l2l tunnel to 192.168.0.0? It says ALLOW, but it's not actually getting to the other end so something's not right...

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd8ee0eb8, priority=12, domain=capture, deny=false

hits=191361263511, user_data=0xd8f867c8, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd822d430, priority=1, domain=permit, deny=false

hits=118120795075, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd822fb68, priority=0, domain=inspect-ip-options, deny=true

hits=581686914, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd82a4ce0, priority=21, domain=lu, deny=true

hits=22423067, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0

Phase: 7

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

  match ip inside 10.100.0.0 255.255.0.0 outside 192.168.0.0 255.255.0.0

    NAT exempt

    translate_hits = 45611518, untranslate_hits = 112889788

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd82f45b0, priority=6, domain=nat-exempt, deny=false

hits=48955726, user_data=0xd82f44f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip=10.100.0.0, mask=255.255.0.0, port=0

dst ip=192.168.0.0, mask=255.255.0.0, port=0, dscp=0x0

Phase: 8

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 10.100.0.0 255.255.0.0

  match ip inside 10.100.0.0 255.255.0.0 outside any

    dynamic translation to pool 1 (13.13.13.13 [Interface PAT])

    translate_hits = 305268954, untranslate_hits = 93680730

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd82f98f0, priority=1, domain=nat, deny=false

hits=417343285, user_data=0xd82f9830, cs_id=0x0, flags=0x0, protocol=0

src ip=10.100.0.0, mask=255.255.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 10.100.0.0 255.255.0.0

  match ip inside 10.100.0.0 255.255.0.0 inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 10, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd82f9440, priority=1, domain=host, deny=false

hits=543577845, user_data=0xd82f9028, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.100.0.0, mask=255.255.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd92b8a28, priority=70, domain=encrypt, deny=false

        hits=962699, user_data=0x132ad1a4, cs_id=0xd8bb7488, reverse, flags=0x0, protocol=0

src ip=10.100.0.0, mask=255.255.0.0, port=0

dst ip=192.168.0.0, mask=255.255.0.0, port=0, dscp=0x0

Phase: 11

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xdaac6160, priority=69, domain=ipsec-tunnel-flow, deny=false

hits=62623, user_data=0x15fb133c, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=192.168.0.0, mask=255.255.0.0, port=0

dst ip=10.100.0.0, mask=255.255.0.0, port=0, dscp=0x0

Phase: 12

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xd827e798, priority=0, domain=inspect-ip-options, deny=true

        hits=669582282, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 13

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 590217043, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Labels:
0 Helpful
1 Reply 1

Jeet Kumar
Cisco Employee
Cisco Employee

‎09-18-2013 08:50 PM

Hi,

As per the packet tracer, the NAT which was used is the NAT exempt:

Phase: 7

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

  match ip inside 10.100.0.0 255.255.0.0 outside 192.168.0.0 255.255.0.0

    NAT exempt

    translate_hits = 45611518, untranslate_hits = 112889788

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd82f45b0, priority=6, domain=nat-exempt, deny=false

hits=48955726, user_data=0xd82f44f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip=10.100.0.0, mask=255.255.0.0, port=0

dst ip=192.168.0.0, mask=255.255.0.0, port=0, dscp=0x0

And until and unless you needed a translation for this traffic this packet tracer is looking good.

In case if you needed a translation then make sure you remove the interesting traffic from the NAT exempt.

in case if you have any further query please feel free to email me.

Thanks

Jeet Kumar

Customers Also Viewed These Support Documents