cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3147
Views
0
Helpful
6
Replies

VPN GRE IPSEC trought ASA

ukaszquz
Level 1
Level 1

Hello, 

I have two routers Cisco 2921 and 881. I want set the VPN site to site with GRE IPSEC between routers. Cisco 2921 is behind ASA 5508X in site A and ASA is connected to internet. Cisco 881 is in site B, connected to internet. I enabled on ASA NAT-T. If i configured only GRE tunnel beetwen the routers it is working. If i add the IPSEC to GRE problem is with ISAKMP, and VPN doesnt work. I dont know where is problem. 

 

It is my configuration: 

ASA:

 

interface GigabitEthernet1/1
duplex full
nameif outside
security-level 0
ip address 213.216.110.XXX 255.255.255.248
!
interface GigabitEthernet1/8
description Connection to C2921
speed 1000
duplex full
nameif MENet
security-level 100
ip address 10.10.3.2 255.255.255.248
!
object network VPN-Router
host 10.10.3.1
nat (MENet, Outside) static interface

crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 enable MENet

access-list OUT-MAIN extended permit gre host 195.150.12.XX host 10.10.3.1
access-list OUT-MAIN extended permit esp host 195.150.12.XX host 10.10.3.1
access-list OUT-MAIN extended permit udp host 195.150.12.XX host 10.10.3.1 eq 4500
access-list OUT-MAIN extended permit udp host 195.150.12.XX host 10.10.3.1 eq isakmp

 

 

C2921 with IP 10.10.3.1 behind ASA.

 

 

crypto isakmp policy 2
encr aes 256
hash md5
authentication pre-share
group 2
lifetime 30000

crypto isakmp key Mi2017a address 195.150.12.XX  

crypto ipsec transform-set MI2018 esp-aes 256 esp-sha-hmac 
mode tunnel

crypto ipsec profile MAIN_VPN_PROFILE
set security-association lifetime seconds 30000
set transform-set MI2018
!

interface GigabitEthernet0/2/0
description Connection to ASA
ip address 10.10.3.1 255.255.255.248
no ip redirects
no ip proxy-arp
duplex full
speed 1000
no cdp enable

interface Tunnel10
description EX-VPN
ip address 10.10.17.131 255.255.255.192
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 3 7
tunnel source GigabitEthernet0/2/0
tunnel destination 195.150.12.XX
tunnel protection ipsec profile MAIN_VPN_PROFILE
!

ip route 195.150.12.XX 255.255.255.248 GigabitEthernet0/2/0 10.10.3.2

On router 881 configuration:

 

 

crypto isakmp policy 2
encr aes 256
hash md5
authentication pre-share
group 2
lifetime 30000

crypto isakmp key Mi2017a address 213.216.110.XXX
!
crypto ipsec transform-set MI2018 esp-aes 256 esp-sha-hmac
mode tunnel

crypto ipsec profile MAIN_VPN_PROFILE
set security-association lifetime seconds 30000
set transform-set MI2018
!

interface Tunnel10
bandwidth 20000
ip address 10.10.17.130 255.255.255.192
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 3 7
tunnel source FastEthernet4
tunnel destination 213.216.110.XXX
tunnel protection ipsec profile MAIN_VPN_PROFILE

interface FastEthernet4
ip address 195.150.12.XX 255.255.255.248
no ip proxy-arp
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!

On C881 i see:

sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
195.150.12.XX 213.216.110.XXX QM_IDLE 2111 ACTIVE
195.150.12.XX 213.216.110.XXX MM_NO_STATE 2110 ACTIVE (deleted)

 

On C2921 i see:

sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
195.150.12.XX 10.10.3.1 MM_KEY_EXCH 1920 ACTIVE
195.150.12.XX 10.10.3.1 MM_NO_STATE 1919 ACTIVE (deleted)

 

If i enabled debug ISAKMP i see:

 

*Feb  5 21:26:17.073: ISAKMP:(2008):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Feb  5 21:26:17.073: ISAKMP (2008): ID payload
        next-payload : 8
        type         : 1
        address      : 195.150.12.XX
        protocol     : 17
        port         : 0
        length       : 12
*Feb  5 21:26:17.073: ISAKMP:(2008):Total payload length: 12
*Feb  5 21:26:17.073: ISAKMP:(2008): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
*Feb  5 21:26:17.073: ISAKMP:(2008):Sending an IKE IPv4 Packet.
*Feb  5 21:26:17.077: ISAKMP:(2008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb  5 21:26:17.077: ISAKMP:(2008):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Feb  5 21:26:17.081: ISAKMP:(2008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Feb  5 21:26:17.081: ISAKMP:(2008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb  5 21:26:17.573: ISAKMP (2007): received packet from 213.216.110.XXX dport 500 sport 500 Global (I) MM_KEY_EXCH
*Feb  5 21:26:17.573: ISAKMP:(2007): phase 1 packet is a duplicate of a previous packet.
*Feb  5 21:26:17.573: ISAKMP:(2007): retransmitting due to retransmit phase 1
*Feb  5 21:26:18.073: ISAKMP:(2007): retransmitting phase 1 MM_KEY_EXCH...
*Feb  5 21:26:18.073: ISAKMP (2007): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb  5 21:26:18.073: ISAKMP:(2007): retransmitting phase 1 MM_KEY_EXCH
*Feb  5 21:26:18.073: ISAKMP:(2007): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Feb  5 21:26:18.073: ISAKMP:(2007):Sending an IKE IPv4 Packet.
*Feb  5 21:26:27.065: ISAKMP (2008): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE
*Feb  5 21:26:27.065: ISAKMP:(2008): phase 1 packet is a duplicate of a previous packet.
*Feb  5 21:26:27.065: ISAKMP:(2008): retransmitting due to retransmit phase 1
*Feb  5 21:26:27.565: ISAKMP:(2008): retransmitting phase 1 QM_IDLE      ...
*Feb  5 21:26:27.565: ISAKMP (2008): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb  5 21:26:27.565: ISAKMP:(2008): retransmitting phase 1 QM_IDLE
*Feb  5 21:26:27.565: ISAKMP:(2008): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb  5 21:26:27.565: ISAKMP:(2008):Sending an IKE IPv4 Packet.



eb  5 21:30:17.409: ISAKMP:(2013):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Feb  5 21:30:17.409: ISAKMP (2013): ID payload
        next-payload : 8
        type         : 1
        address      : 195.150.12.XX
        protocol     : 17
        port         : 0
        length       : 12
*Feb  5 21:30:17.409: ISAKMP:(2013):Total payload length: 12
*Feb  5 21:30:17.409: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
*Feb  5 21:30:17.409: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb  5 21:30:17.409: ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb  5 21:30:17.409: ISAKMP:(2013):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Feb  5 21:30:17.413: ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Feb  5 21:30:17.417: ISAKMP:(2013):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb  5 21:30:27.401: ISAKMP (2013): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE
*Feb  5 21:30:27.401: ISAKMP:(2013): phase 1 packet is a duplicate of a previous packet.
*Feb  5 21:30:27.401: ISAKMP:(2013): retransmitting due to retransmit phase 1
*Feb  5 21:30:27.901: ISAKMP:(2013): retransmitting phase 1 QM_IDLE      ...
*Feb  5 21:30:27.901: ISAKMP (2013): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb  5 21:30:27.901: ISAKMP:(2013): retransmitting phase 1 QM_IDLE
*Feb  5 21:30:27.901: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb  5 21:30:27.901: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb  5 21:30:37.397: ISAKMP (2013): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE
*Feb  5 21:30:37.401: ISAKMP:(2013): phase 1 packet is a duplicate of a previous packet.
*Feb  5 21:30:37.401: ISAKMP:(2013): retransmitting due to retransmit phase 1
*Feb  5 21:30:37.901: ISAKMP:(2013): retransmitting phase 1 QM_IDLE      ...
*Feb  5 21:30:37.901: ISAKMP (2013): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Feb  5 21:30:37.901: ISAKMP:(2013): retransmitting phase 1 QM_IDLE
*Feb  5 21:30:37.901: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb  5 21:30:37.901: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb  5 21:30:38.013: ISAKMP: set new node 0 to QM_IDLE
*Feb  5 21:30:38.013: SA has outstanding requests  (local 133.208.215.12 port 4500, remote 133.208.215.40 port 4500)
*Feb  5 21:30:38.013: ISAKMP:(2013): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Feb  5 21:30:38.013: ISAKMP:(2013):beginning Quick Mode exchange, M-ID of 4112572105
*Feb  5 21:30:38.013: ISAKMP:(2013):QM Initiator gets spi
*Feb  5 21:30:38.013: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb  5 21:30:38.013: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb  5 21:30:38.013: ISAKMP:(2013):Node 4112572105, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Feb  5 21:30:38.013: ISAKMP:(2013):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1


*Feb  5 21:30:47.409: ISAKMP:(2013): retransmitting due to retransmit phase 1
*Feb  5 21:30:47.909: ISAKMP:(2013): retransmitting phase 1 QM_IDLE      ...
*Feb  5 21:30:47.909: ISAKMP (2013): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Feb  5 21:30:47.909: ISAKMP:(2013): retransmitting phase 1 QM_IDLE
*Feb  5 21:30:47.909: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb  5 21:30:47.909: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb  5 21:30:48.013: ISAKMP:(2013): retransmitting phase 2 QM_IDLE       -182395191 ...
*Feb  5 21:30:48.013: ISAKMP (2013): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Feb  5 21:30:48.013: ISAKMP:(2013): retransmitting phase 2 -182395191 QM_IDLE
*Feb  5 21:30:48.013: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb  5 21:30:48.013: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb  5 21:30:57.405: ISAKMP (2013): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE
*Feb  5 21:30:57.405: ISAKMP:(2013): phase 1 packet is a duplicate of a previous packet.
*Feb  5 21:30:57.405: ISAKMP:(2013): retransmitting due to retransmit phase 1
*Feb  5 21:30:57.905: ISAKMP:(2013): retransmitting phase 1 QM_IDLE      ...
*Feb  5 21:30:57.905: ISAKMP (2013): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Feb  5 21:30:57.905: ISAKMP:(2013): retransmitting phase 1 QM_IDLE
*Feb  5 21:30:57.905: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb  5 21:30:57.905: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb  5 21:30:58.013: ISAKMP:(2013): retransmitting phase 2 QM_IDLE       -182395191 ...
*Feb  5 21:30:58.013: ISAKMP (2013): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
*Feb  5 21:30:58.013: ISAKMP:(2013): retransmitting phase 2 -182395191 QM_IDLE
*Feb  5 21:30:58.013: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb  5 21:30:58.013: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb  5 21:30:58.021: ISAKMP:(2012):purging node -1412652012
*Feb  5 21:30:58.021: ISAKMP:(2012):purging node 665005119
*Feb  5 21:30:58.417: ISAKMP:(2011):purging node -1499783167
*Feb  5 21:31:07.405: ISAKMP (2013): received packet from 213.216.110.XXX dport 4500 sport 4500 Global (R) QM_IDLE
*Feb  5 21:31:07.405: ISAKMP:(2013): phase 1 packet is a duplicate of a previous packet.
*Feb  5 21:31:07.405: ISAKMP:(2013): retransmitting due to retransmit phase 1
*Feb  5 21:31:07.905: ISAKMP:(2013): retransmitting phase 1 QM_IDLE      ...
*Feb  5 21:31:07.905: ISAKMP (2013): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Feb  5 21:31:07.905: ISAKMP:(2013): retransmitting phase 1 QM_IDLE
*Feb  5 21:31:07.905: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb  5 21:31:07.905: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb  5 21:31:08.013: ISAKMP:(2013): retransmitting phase 2 QM_IDLE       -182395191 ...
*Feb  5 21:31:08.013: ISAKMP (2013): incrementing error counter on node, attempt 3 of 5: retransmit phase 2
*Feb  5 21:31:08.013: ISAKMP:(2013): retransmitting phase 2 -182395191 QM_IDLE
*Feb  5 21:31:08.013: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb  5 21:31:08.013: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb  5 21:31:08.021: ISAKMP:(2012):purging SA., sa=86E8CB30, delme=86E8CB30
*Feb  5 21:31:08.117: ISAKMP: set new node 0 to QM_IDLE
*Feb  5 21:31:08.117: SA has outstanding requests  (local 133.208.215.12 port 4500, remote 133.208.215.40 port 4500)
*Feb  5 21:31:08.117: ISAKMP:(2013): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Feb  5 21:31:08.117: ISAKMP:(2013):beginning Quick Mode exchange, M-ID of 1297611346
*Feb  5 21:31:08.117: ISAKMP:(2013):QM Initiator gets spi
*Feb  5 21:31:08.117: ISAKMP:(2013):peer does not do paranoid keepalives.

*Feb  5 21:31:08.117: ISAKMP:(2013):deleting SA reason "Death by retransmission throw" state (R) QM_IDLE       (peer 213.216.110.XXX)
*Feb  5 21:31:08.117: ISAKMP:(2013):Node 1297611346, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Feb  5 21:31:08.117: ISAKMP:(2013):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Feb  5 21:31:08.121: ISAKMP: set new node -222890906 to QM_IDLE
*Feb  5 21:31:08.125: ISAKMP:(2013): sending packet to 213.216.110.XXX my_port 4500 peer_port 4500 (R) QM_IDLE
*Feb  5 21:31:08.125: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Feb  5 21:31:08.125: ISAKMP:(2013):purging node -222890906
*Feb  5 21:31:08.125: ISAKMP:(2013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Feb  5 21:31:08.125: ISAKMP:(2013):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Feb  5 21:31:08.125: ISAKMP:(2013):deleting SA reason "Death by retransmission throw" state (R) QM_IDLE       (peer 213.216.110.XXX)
*Feb  5 21:31:08.125: ISAKMP: Unlocking peer struct 0x85D0EAE0 for isadb_mark_sa_deleted(), count 0
*Feb  5 21:31:08.125: ISAKMP: Deleting peer node by peer_reap for 213.216.110.XXX: 85D0EAE0
*Feb  5 21:31:08.125: ISAKMP:(2013):deleting node -182395191 error FALSE reason "IKE deleted"
*Feb  5 21:31:08.125: ISAKMP:(2013):deleting node 1297611346 error FALSE reason "IKE deleted"
*Feb  5 21:31:08.129: ISAKMP:(2013):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb  5 21:31:08.129: ISAKMP:(2013):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Please help me

 

6 Replies 6

Bogdan Nita
VIP Alumni
VIP Alumni

Your setup is a bit confusing.
Are you trying to end the ipsec tunnel on the ASA or on the 2921 behind ASA ? Same question for GRE/VTI tunnel.
ASA does not support GRE, but it does support VTI, if you are trying to setup a route-based vpn between the ASA and 881 you will need to use VTI.
Do not see why nat-t is needed on the ASA, if you are trying to have a ipsec tunnel between the routers, nat-t should be enabled on the routers, not on the ASA, but you should have a static nat on the ASA.
If the tunnel should end on the ASA the ASA has a public IP and nat-t is not needed.

 

HTH

Bogdan

Hi, 

The tunnel GRE/IPSEC is end on C2921. The router 2921 is in the NAT behind ASA. I dont use the ASA for VTI. ASA is only firewall for access to outside. The VPN tunnel is between C2921 and C881 throught ASA. 

 

I used the configuration from: slideshare.net/NetworksTraining, but i want use the GRE IPSEC. GRE only its working between C2921 and C881.

Hi, So the 2921 is behind the ASA?

Can you please provide the configuration for the ASA - access-list, object and nat.

Yes, C2921 is behind ASA. Network beetween ASA and C2921 is 10.10.3.0. (ASA and C2921 is directly connected)

 

ASA config:

interface GigabitEthernet1/1
 duplex full
 nameif outside
 security-level 0
 ip address 213.216.110.XXX 255.255.255.248 
!
interface GigabitEthernet1/8
 description Connected to C2921
 speed 1000
 duplex full
 nameif MENet
 security-level 100
 ip address 10.10.3.2 255.255.255.248 
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network VPN-Router
 host 10.10.3.1
object network VPN-Router
 nat (MENet,outside) static interface

route outside 0.0.0.0 0.0.0.0 213.216.110.XXX 1

crypto ikev1 enable outside
crypto ikev1 enable MENet
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

access-list OUT-MAIN extended permit gre host 195.150.12.XX host 10.10.3.1 
access-list OUT-MAIN extended permit esp host 195.150.12.XX host 10.10.3.1 
access-list OUT-MAIN extended permit udp host 195.150.12.XX host 10.10.3.1 eq 4500 
access-list OUT-MAIN extended permit udp host 195.150.12.XX host 10.10.3.1 eq isakmp 
access-list OUT-MAIN extended deny icmp any any 
access-list OUT-MAIN extended permit ip any any 

access-group OUT-MAIN in interface outside


policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
  inspect snmp 
  inspect ipsec-pass-thru 
 class global-class
  sfr fail-open monitor-only
 class class-default
  

Sorry I just realised you already posted your ASA config.

Why the crypto configuration on the ASA? You aren't using the ASA for IPSec or are you intending to?
I assume you are NATTING behind the ASA's public IP address?
The ASA firewall rules look ok at first glance. I assume "permit ip any any" is for testing only? Are there any hits to any of the rules?
How you run a packet trace to see what the output is?
Can you send the output of "show xlate"

Hi, 

On ASA i have one tunnel to other location. I can disabled it. 

Yes i am natting public IP address from outside interface. 

Permit ip any any is only for the tests.

 

sh xlate:

NAT from MENet:10.10.3.1 to outside:213.216.110.XXX
flags s idle 0:00:00 timeout 0:00:00

 

 

MPLASA01# packet-tracer input outside udp 195.150.12.XX isakmp 10.10.3.1 isakm$

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.3.1 using egress ifc  MENet

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUT-MAIN in interface outside
access-list OUT-MAIN extended permit udp host 195.150.12.XX host 10.10.3.1 eq isakmp log 
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype: 
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:      
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: SFR
Subtype: 
Result: ALLOW
Config:
class-map global-class
 match access-list sfr_redirect
policy-map global_policy
 class global-class
  sfr fail-open monitor-only
service-policy global_policy global
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect ipsec-pass-thru _default_ipsec_passthru_map 
service-policy global_policy global
Additional Information:

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network VPN-Router
 nat (MENet,outside) static interface
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: MENet
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: