02-09-2013 01:36 PM
Hi Buddies,
I have a problem with 2 ASA´s 5540 and 5510 version 8.4.3 and 8.2.5 respectively, TOPOLOGY: LAN--ASA------*WAN*-------ASA-----LAN
On the 5540 side I dont have TX
# sh vpn-sessiondb detail l2l
Session Type: LAN-to-LAN Detailed
Connection : 189.213.94.5
Index : 107 IP Addr : 189.213.94.5
Protocol : IKEv1 IPsec
Encryption : 3DES 3DES 3DES Hashing : SHA1 SHA1 SHA1
Bytes Tx : 0 Bytes Rx : 19104
Login Time : 09:30:57 CST Fri Feb 8 2013
Duration : 0h:14m:12s
IKEv1 Tunnels: 1
IPsec Tunnels: 2
IKEv1:
Tunnel ID : 107.1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : 3DES Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 85549 Seconds
D/H Group : 2
Filter Name : OUTSIDE_cryptomap_1
IPv6 Filter :
IPsec:
Tunnel ID : 107.2
Local Addr : 10.10.0.0/255.255.255.0/0/0
Remote Addr : 192.168.2.0/255.255.255.0/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel PFS Group : 2
Rekey Int (T): 28800 Seconds Rekey Left(T): 27949 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607991 K-Bytes
Idle Time Out: 0 Minutes Idle TO Left : 0 Minutes
Bytes Tx : 0 Bytes Rx : 10200
Pkts Tx : 0 Pkts Rx : 170
IPsec:
Tunnel ID : 107.3
Local Addr : 10.5.0.0/255.255.0.0/0/0
Remote Addr : 192.168.2.0/255.255.255.0/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel PFS Group : 2
Rekey Int (T): 28800 Seconds Rekey Left(T): 27952 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607992 K-Bytes
Idle Time Out: 0 Minutes Idle TO Left : 0 Minutes
Bytes Tx : 0 Bytes Rx : 8904
Pkts Tx : 0 Pkts Rx : 84
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 852 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
And in the 5510 side I dont have Rx
# sh vpn-sessiondb detail l2l
Session Type: LAN-to-LAN Detailed
Connection : 201.140.121.82
Index : 695 IP Addr : 201.140.121.82
Protocol : IKE IPsec
Encryption : 3DES Hashing : SHA1
Bytes Tx : 22480 Bytes Rx : 0
Login Time : 17:33:15 CST Fri Feb 8 2013
Duration : 0h:16m:32s
IKE Tunnels: 1
IPsec Tunnels: 2
IKE:
Tunnel ID : 695.1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : 3DES Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 85407 Seconds
D/H Group : 2
Filter Name :
IPsec:
Tunnel ID : 695.2
Local Addr : 192.168.2.0/255.255.255.0/0/0
Remote Addr : 10.10.0.0/255.255.255.0/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel PFS Group : 2
Rekey Int (T): 28800 Seconds Rekey Left(T): 27808 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 0 K-Bytes
Idle Time Out: 0 Minutes Idle TO Left : 0 Minutes
Bytes Tx : 11880 Bytes Rx : 0
Pkts Tx : 198 Pkts Rx : 0
IPsec:
Tunnel ID : 695.3
Local Addr : 192.168.2.0/255.255.255.0/0/0
Remote Addr : 10.5.0.0/255.255.0.0/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel PFS Group : 2
Rekey Int (T): 28800 Seconds Rekey Left(T): 27811 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 0 K-Bytes
Idle Time Out: 0 Minutes Idle TO Left : 0 Minutes
Bytes Tx : 10600 Bytes Rx : 0
Pkts Tx : 100 Pkts Rx : 0
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 994 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
Hope you guys could help me to figure out the issue properly.
thanks!
Solved! Go to Solution.
02-13-2013 05:55 PM
Looks like your issue is that you have the route to 192.168.2.X pointing INSIDE on your 5540, when it should be pointing to your OUTSIDE interface, or just letting the default route take care of it.
Remove the static for 192.168.2.0 on the 5540:
no route INSIDE 192.168.2.0 255.255.255.0 10.10.0.1 1
Then see if two-way communication is happening. Try: packet-tracer input INSIDE icmp 10.10.0.1 1 1 192.168.2.1
again. If all checks out, see if you have two-way communication through the VPN.
02-09-2013 02:19 PM
Does anything from networks 10.10.0.0/24 or 10.5.0.0/16 send traffic to 192.168.2.0/24?
Is everything correct with routing between protected subnets?
02-11-2013 09:15 AM
02-12-2013 05:05 AM
On the ASA-5510, you have: route inside 192.168.2.0 255.255.255.0 192.168.2.1 1
You don't need this because it's a locally connected subnet.
Are there routes on the LAN side of the ASA-5540 for 192.168.2.0/24 via 10.0.0.3?
HTH
Paul
****Please rate useful posts****
02-12-2013 12:40 PM
Hi Paul,
No on the LAN side there is a static router to a Catalyst 4500 and it forwards all the traffic to another ASA.
ESP protocol could be denied or not supported by the ISP?? but first I would need to validate that all is right configured on both ASA's.
02-12-2013 07:42 PM
Hello Magdiel,
Your config looks correct, your tunnel establishes, and you have 1 way communication from the 5510 to the 5540.
This would lead me to believe that once traffic from 192.168.2.0 /24 got to the 5540 and sent to the destination network (for example on your first post 192.168.2.0 was talking to 10.10.0.0 and 10.5.0.0) that whatever routing you have behind the 5540 wasn't sending traffic destined for 192.168.2.0 back to the 5540.
Could you verify your routing from one of the 10.x.x.x servers behind the 5540 by doing a tracert to the 192.168.2.0 network.
-Gabriel
02-13-2013 12:21 PM
Hi Gabriel,
I have a 3750x and WS4500 both with static routes to the 192.168.2.0 and 11.0 to the 5540 inside interface directly connected (10.10.0.3) also to the Outside Public IP Adress of the 5510. Still the same.
when i perform a packet trace from the 5540 it shows me this:
# packet-tracer input oUTSIDE icmp 10.10.0.1 1 1 192.168.2.1 d$
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x77e67da8, priority=13, domain=capture, deny=false
hits=1068170, user_data=0x795be578, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=OUTSIDE, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x77f2ace0, priority=1, domain=permit, deny=false
hits=1119798, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=OUTSIDE, output_ifc=any
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.2.0 255.255.255.0 INSIDE
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ACL-IN global
access-list ACL-IN extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x77ff59f8, priority=12, domain=permit, deny=false
hits=4116, user_data=0x73b535c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x77f2e9e8, priority=0, domain=inspect-ip-options, deny=true
hits=92718, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x78a1c260, priority=70, domain=inspect-icmp, deny=false
hits=3428, user_data=0x78a1b790, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x77f2e5c0, priority=66, domain=inspect-icmp-error, deny=false
hits=3166, user_data=0x77f2dbd8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7867f630, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=22450, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network LAN-OUT
nat (INSIDE,OUTSIDE) dynamic interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x77fe64b8, priority=6, domain=nat-reverse, deny=false
hits=58, user_data=0x77fdf688, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=INSIDE
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
02-13-2013 12:45 PM
Run the packet trace again only like this:
packet-tracer input INSIDE icmp 10.10.0.1 1 1 192.168.2.1
Post your results.
-Gabriel
02-13-2013 03:59 PM
There is an implicit rule blocking it!
# packet-tracer input INSIDE icmp 10.10.0.1 1 1 192.168.2.1
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.2.0 255.255.255.0 INSIDE
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
____________________________________________________________
# sh run access-list
access-list VPN-INSIDE extended permit ip any any
access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.9.4.40 255.255.255.252
access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.12.0.0 255.255.255.0
access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.90.1.0 255.255.255.0
access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.200.0.0 255.255.255.0
access-list VPN-PRUEBA_splitTunnelAcl standard permit 192.168.42.0 255.255.255.0
access-list VPN-PRUEBA_splitTunnelAcl standard permit 192.168.250.0 255.255.255.128
access-list VPN-PRUEBA_splitTunnelAcl standard permit 192.168.250.128 255.255.255.128
access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.6.0.0 255.255.0.0
access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.5.0.0 255.255.0.0
access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.10.0.0 255.255.255.0
access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.9.0.0 255.255.0.0
access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.16.0.0 255.255.0.0
access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.100.0.0 255.255.0.0
access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.15.0.0 255.255.0.0
access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.7.0.0 255.255.0.0
access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.90.0.0 255.255.0.0
access-list VPN-PRUEBA_splitTunnelAcl standard permit host 140.X.X.X
access-list VPN-PRUEBA_splitTunnelAcl standard permit host 141.X.X.X
access-list VPN-PRUEBA_splitTunnelAcl standard permit 172.31.0.0 255.255.0.0
access-list INSIDE-OUT extended permit icmp any any echo-reply
access-list INSIDE-OUT extended permit icmp any any time-exceeded
access-list INSIDE-OUT extended permit icmp any any unreachable
access-list ACL-IN extended permit ip any any
access-list INSIDE extended permit ip any any log
access-list OUTSIDE extended permit ip any any
access-list VPN-EQDZ_splitTunnelAcl standard permit host 10.1.1.100
access-list OUTSIDE_access_in extended permit ip any host 201.X.X.X
access-list OUTSIDE_access_in extended permit ip any host 201.X.X.X
access-list INSIDE_access_in extended permit ip object KIKELAP any
access-list INSIDE_access_in extended permit ip object CUCM_SFYA any
access-list INSIDE_access_in extended permit ip object EX60CETIC any
access-list INSIDE_access_in extended permit ip object COBAED-SERVER any
access-list outside_in extended permit tcp any host 209.X.X.X
access-list OUTSIDE_cryptomap_1 extended permit ip object-group REDES-MONITOREO object-group Monitor-XPG-MTY
access-list 150 extended permit ip host 201.X.X.X host 189.X.X.X log
02-13-2013 04:23 PM
Hmm, interesting.
You could try adding the following for a test: access-group INSIDE in interface INSIDE
But I am a little doubtful because the following shows the input as: INSIDE and output as INSIDE.
Do me a favor and post your "show route" on here.
---------------------------------------------------------------------------
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
---------------------------------------------------------------------------
02-13-2013 04:54 PM
# sh route | inc 192.168.2.0
S 192.168.240.0 255.255.255.0 [1/0] via 10.10.0.1, INSIDE
S 192.168.240.100 255.255.255.255 [1/0] via 201.x.x.x, OUTSIDE
S 192.168.240.102 255.255.255.255 [1/0] via 201.x.x.x, OUTSIDE
D 192.168.250.0 255.255.255.0 [90/3584] via 10.10.0.1, 272:56:17, INSIDE
D 192.168.220.0 255.255.255.0
S 192.168.2.0 255.255.255.0 [1/0] via 10.10.0.1, INSIDE
# sh route | inc 192.168.11.0
S 192.168.11.0 255.255.255.0 [1/0] via 10.10.0.1, INSIDE
# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 201.x.x.x to network 0.0.0.0
D EX 201.X.X.X 255.255.255.252
[170/2817280] via 10.10.0.1, 3:07:47, INSIDE
S 192.168.240.0 255.255.255.0 [1/0] via 10.10.0.1, INSIDE
S 192.168.240.100 255.255.255.255 [1/0] via 201.140.121.81, OUTSIDE
S 192.168.240.101 255.255.255.255 [1/0] via 201.140.121.81, OUTSIDE
S 192.168.240.102 255.255.255.255 [1/0] via 201.140.121.81, OUTSIDE
D 192.168.42.0 255.255.255.0 [90/3328] via 10.10.0.1, 285:46:56, INSIDE
D EX 201.112.186.224 255.255.255.252
[170/2817280] via 10.10.0.1, 24:05:54, INSIDE
S 140.85.59.45 255.255.255.255 [1/0] via 10.10.0.1, INSIDE
S 141.146.240.213 255.255.255.255 [1/0] via 10.10.0.1, INSIDE
D EX 141.146.242.6 255.255.255.255 [170/3584] via 10.10.0.1, 260:00:38, INSIDE
D 192.168.111.0 255.255.255.0 [90/3584] via 10.10.0.1, 285:46:56, INSIDE
D EX 201.112.187.32 255.255.255.252
[170/2817280] via 10.10.0.1, 3:28:22, INSIDE
D 192.168.246.0 255.255.255.0 [90/3584] via 10.10.0.1, 273:10:39, INSIDE
D EX 189.255.128.132 255.255.255.252
[170/2817280] via 10.10.0.1, 24:05:54, INSIDE
D EX 189.254.27.32 255.255.255.240
[170/2817280] via 10.10.0.1, 24:05:54, INSIDE
D EX 189.254.233.96 255.255.255.240
[170/2817280] via 10.10.0.1, 24:05:54, INSIDE
D EX 172.16.239.19 255.255.255.255
[170/2817280] via 10.10.0.1, 24:05:54, INSIDE
D EX 172.16.239.18 255.255.255.255
[170/2817280] via 10.10.0.1, 5:27:33, INSIDE
D EX 172.16.239.17 255.255.255.255
[170/2817280] via 10.10.0.1, 24:05:55, INSIDE
D EX 172.16.239.16 255.255.255.255
[170/2817280] via 10.10.0.1, 24:05:55, INSIDE
D EX 172.16.239.23 255.255.255.255
[170/2817280] via 10.10.0.1, 24:05:55, INSIDE
D EX 172.16.239.22 255.255.255.255
[170/2817280] via 10.10.0.1, 24:05:55, INSIDE
D EX 172.16.239.21 255.255.255.255
[170/2817280] via 10.10.0.1, 24:05:55, INSIDE
D EX 172.16.239.20 255.255.255.255
[170/2817280] via 10.10.0.1, 24:05:55, INSIDE
D EX 172.16.239.27 255.255.255.255
[170/2817280] via 10.10.0.1, 3:28:00, INSIDE
D EX 172.16.239.26 255.255.255.255
[170/2817280] via 10.10.0.1, 24:05:55, INSIDE
D EX 172.16.239.25 255.255.255.255
[170/2817280] via 10.10.0.1, 24:05:55, INSIDE
D EX 172.16.239.31 255.255.255.255
[170/2817280] via 10.10.0.1, 24:05:55, INSIDE
D EX 172.16.239.30 255.255.255.255
[170/2817280] via 10.10.0.1, 3:58:04, INSIDE
....
And the list continues far away..
02-13-2013 05:55 PM
Looks like your issue is that you have the route to 192.168.2.X pointing INSIDE on your 5540, when it should be pointing to your OUTSIDE interface, or just letting the default route take care of it.
Remove the static for 192.168.2.0 on the 5540:
no route INSIDE 192.168.2.0 255.255.255.0 10.10.0.1 1
Then see if two-way communication is happening. Try: packet-tracer input INSIDE icmp 10.10.0.1 1 1 192.168.2.1
again. If all checks out, see if you have two-way communication through the VPN.
02-14-2013 11:51 AM
Thanks for your advice Gabriel,
after i deleted some inside routes and made 2 access-list like this:
access-list 150 extended permit ip host 189.x.x.x host 201.x.x.x log
and viceversa,also cleared the crypto ipsec and isakmp sa´s ... Everything started to have bidirectional traffic.
Keep in touch!
# sh vpn-sessiondb de l2l
Session Type: LAN-to-LAN Detailed
Connection : 189.x.x.x
Index : 283 IP Addr : 189.x.x.x
Protocol : IKEv1 IPsec
Encryption : 3DES 3DES 3DES 3DES 3DES 3DES 3DES
Hashing : SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1
Bytes Tx : 3382956 Bytes Rx : 611086
Login Time : 13:39:36 CST Thu Feb 14 2013
Duration : 0h:09m:43s
IKEv1 Tunnels: 1
IPsec Tunnels: 6
IKEv1:
Tunnel ID : 283.1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : 3DES Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 85817 Seconds
D/H Group : 2
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 283.2
Local Addr : 10.6.0.0/255.255.0.0/0/0
Remote Addr : 192.168.2.0/255.255.255.0/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel PFS Group : 2
Rekey Int (T): 28800 Seconds Rekey Left(T): 28217 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607975 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 16067 Bytes Rx : 25882
Pkts Tx : 152 Pkts Rx : 479
IPsec:
Tunnel ID : 283.3
Local Addr : 10.90.0.0/255.255.0.0/0/0
Remote Addr : 192.168.2.0/255.255.255.0/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel PFS Group : 2
Rekey Int (T): 28800 Seconds Rekey Left(T): 28218 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4604723 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 3355837 Bytes Rx : 449631
Pkts Tx : 2768 Pkts Rx : 1954
IPsec:
Tunnel ID : 283.4
Local Addr : 10.5.0.0/255.255.0.0/0/0
Remote Addr : 192.168.2.0/255.255.255.0/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel PFS Group : 2
Rekey Int (T): 28800 Seconds Rekey Left(T): 28223 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607997 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 109 Bytes Rx : 3074
Pkts Tx : 1 Pkts Rx : 29
IPsec:
Tunnel ID : 283.5
Local Addr : 10.9.0.0/255.255.0.0/0/0
Remote Addr : 192.168.2.0/255.255.255.0/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel PFS Group : 2
Rekey Int (T): 28800 Seconds Rekey Left(T): 28253 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 21 Minutes
Bytes Tx : 320 Bytes Rx : 0
Pkts Tx : 4 Pkts Rx : 0
IPsec:
Tunnel ID : 283.6
Local Addr : 10.10.0.0/255.255.255.0/0/0
Remote Addr : 192.168.11.0/255.255.255.0/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel PFS Group : 2
Rekey Int (T): 28800 Seconds Rekey Left(T): 28266 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607879 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes
Bytes Tx : 20291 Bytes Rx : 124484
Pkts Tx : 171 Pkts Rx : 225
IPsec:
Tunnel ID : 283.7
Local Addr : 10.10.0.0/255.255.255.0/0/0
Remote Addr : 192.168.2.0/255.255.255.0/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel PFS Group : 2
Rekey Int (T): 28800 Seconds Rekey Left(T): 28401 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607984 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Bytes Tx : 17295 Bytes Rx : 10805
Pkts Tx : 122 Pkts Rx : 135
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 584 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
___________________________________________________________
# packet-tracer input INSIDE icmp 10.10.0.1 1 1 192.168.2.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE in interface INSIDE
access-list INSIDE extended permit ip any any log
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static REDES-MONITOREO REDES-MONITOREO destination static Monitor-XPG-MTY Monitor-XPG-MTY no-proxy-arp route-lookup
Additional Information:
Static translate 10.10.0.1/0 to 10.10.0.1/0
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 12147, packet dispatched to next module
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide