01-13-2015 09:19 AM
Hello
I have an existing VPN. I added a new acl statement allowing communications between servers onport 104
The packet tracer display follows: Please review and advise if you see anything causing the problems.
MY_ASA#
MY-ASA# term pager 300
MY-ASA# packet-tracer input inside tcp 10.168.32.21 104 172.28.24.101 104 det
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_IN in interface inside
access-list INSIDE_IN extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x253f5b38, priority=12, domain=permit, deny=false
hits=103272257, user_data=0x1db683c0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map abc1
match any
policy-map global_policy
class abc1
set connection advanced-options abc
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x27363248, priority=7, domain=conn-set, deny=false
hits=104453920, user_data=0x27362390, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2426e4d8, priority=0, domain=inspect-ip-options, deny=true
hits=125105615, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 170.27.201.221 access-list PCC_SEQOUIA_PNAT_2
match ip inside host SYNGO-NEW outside 170.27.24.200 255.255.255.254
static translation to 170.27.201.221
translate_hits = 10, untranslate_hits = 31094
Additional Information:
Forward Flow based lookup yields rule:
in id=0x25330d60, priority=5, domain=host, deny=false
hits=136957, user_data=0x25330718, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=SYNGO-NEW, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (170.27.135.1 - 170.27.135.253)
translate_hits = 94132400, untranslate_hits = 36950114
Additional Information:
Dynamic translate SYNGO-NEW/104 to 170.27.135.254/273 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0x252b8048, priority=1, domain=nat, deny=false
hits=133821750, user_data=0x252b7f88, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2421fbc0, priority=0, domain=inspect-ip-options, deny=true
hits=158149578, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 141418212, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
MY-ASA#
01-14-2015 08:39 AM
Hi Steve,
You are missing nat exmeption for this traffic hence the traffic is getting natted while hitting this statement
static (inside,outside) 170.27.201.221 access-list PCC_SEQOUIA_PNAT_2
Please add nat exmeption.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide