cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
385
Views
25
Helpful
18
Replies
Highlighted
Participant

VPN site-to-site UP, but not traffic

Dear friends,

I made a site-to-site VPN using 02 ASA 5555 in each site running Software Version 9.2(4).

The VPN is UP, as show below:

ASA-SSP-Pri(config)# sh isak sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
268373031 201.23.100.130/500 200.174.36.19/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/272 sec
Child sa: local selector 10.69.0.0/0 - 10.69.0.255/65535
remote selector 10.12.20.0/0 - 10.12.20.255/65535
ESP spi in/out: 0xf89430e6/0x86a5cd8f

But when I try to ping from one site to another, is not possible, the result of the ping is "????"

I made some research about this problem and many people say that is missing crypto isakmp nat-traversal 20 command, but this command is alredy enable.

NAT Exempt is enable and I made tests disabling as well.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Hello,

Hello,

The only last thing I would think is that there is a duplicate SPI on the asp table and that is why the traffic is not encrypted everything looks correct run the following command on the ASA:

clear crypto ipsec sa inactive

test again 

View solution in original post

18 REPLIES 18
Beginner

Hello,

Hello,

Can you add the output of the command "show crypto ipsec sa" from both sides 

Regards,

Highlighted
Participant

Diego,

Diego,

Follow the result:

ASA-ARR# show crypto ipsec sa
interface: External
Crypto map tag: External_map, seq num: 1, local addr: 200.174.36.19

access-list External_cryptomap extended permit ip 10.12.20.0 255.255.255.0 10.69.0.0 255.255.255.0
local ident (addr/mask/prot/port): (10.12.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.69.0.0/255.255.255.0/0/0)
current_peer: 201.23.100.130


#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 200.174.36.19/500, remote crypto endpt.: 201.23.100.130/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 3AD05183
current inbound spi : 79F03853

inbound esp sas:
spi: 0x79F03853 (2045786195)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 12288, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (4147200/28778)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x3AD05183 (986730883)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 12288, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (4285439/28778)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ASA-SSP-Pri# show crypto ipsec sa
interface: Lan1
Crypto map tag: Lan1_map, seq num: 1, local addr: 201.23.100.130

access-list Lan1_cryptomap_2 extended permit ip 10.69.0.0 255.255.255.0 10.12.20.0 255.255.255.0
local ident (addr/mask/prot/port): (10.69.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.12.20.0/255.255.255.0/0/0)
current_peer: 200.174.36.19


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 201.23.100.130/500, remote crypto endpt.: 200.174.36.19/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 79F03853
current inbound spi : 3AD05183

inbound esp sas:
spi: 0x3AD05183 (986730883)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 40153088, crypto-map: Lan1_map
sa timing: remaining key lifetime (kB/sec): (4101119/28730)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x79F03853 (2045786195)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 40153088, crypto-map: Lan1_map
sa timing: remaining key lifetime (kB/sec): (4055040/28730)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Highlighted
Beginner

If the SA is not up that

If the SA is not up that means that the tunnel is not properly established something is falling in the Phase 2 negotiation, check interesting traffic make sure is matching on both sides also check the transform set proposals.

Highlighted
Participant

ASA-ARR#

ASA-ARR#

access-list External_cryptomap extended permit ip object Rede_10.12.20.0 object LAN_SPO (This last object is 10.69.0.0/24).

crypto map External_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

ASA-SSP-Pri#

access-list Lan1_cryptomap_2 extended permit ip 10.69.0.0 255.255.255.0 object Vlan_1020_Datacenter (10.12.20.0/24)

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Lan1_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
!
crypto map Lan1_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5.

Is the same, ASA-SSP-Pri# have 03 transform-set because I have other VPN, but is not active yet.

Highlighted
Beginner

Can you set a capture on the

Can you set a capture on the inside interface "or whatever interface 10.69.0.0/24 resides"on ASA "ASA-SSP-Pri" 

capture capin interface inside match ip 10.69.0.0 255.255.255.0 10.12.20.0 255.255.255.0

send some traffic over the tunnel and do a "show capture capin"

this is to verify that the traffic is coming back to the ASA because I don't see any encaps on the tunnel on ASA "ASA-SSP-Pri" side if you do see the replay traffic from 10.69.0.0 to 10.12.20.0 on the inside interface check for other tunnel's interesting traffic you might have overlapping networks.

Highlighted
Participant

ASA-SSP-Pri# show capture

ASA-SSP-Pri# show capture capin

0 packet captured

0 packet shown

I´m trying to ping from one ASA to another, because both ASA are not in production yet, for this reason, there is no machine behind the firewall to send some traffic.

Highlighted
Beginner

if you are pinging from

if you are pinging from inside to inside make sure that you have management access enabled on the interface so the ASA can replay the traffic 

"management-access inside"

can you also run the following packet tracer on ASA "ASA-SSP-Pri"

packet-tracer input inside icmp 10.69.0.5 8 0 10.12.20.8 detailed

Highlighted
Participant

ASA-ARR# packet-tracer input

ASA-ARR# packet-tracer input internal icmp 10.12.20.1 8 0 10.69.0.1 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5e8bec30, priority=1, domain=permit, deny=false
hits=2764452, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Internal, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 200.174.36.1, External

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Internal,External) source static Rede_10.12.20.0 Rede_10.12.20.0 destination static LAN_SPO LAN_SPO no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface External
Untranslate 10.69.0.1/0 to 10.69.0.1/0

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5d8c3130, priority=500, domain=permit, deny=true
hits=7, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.12.20.1, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=any

Result:
input-interface: Internal
input-status: up
input-line-status: up
output-interface: External
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

There is rule allow the traffic, but for some reason the log show:


%ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on 
interface interface_name.
Highlighted
Beginner

don't use the IP assigned to

don't use the IP assigned to the interface in the packet tracer use a different otherwise we will see this acl-drop 

try with .5 or something different as the source IP

Thanks

Highlighted
Participant

Sorry, follow the result:

Sorry, follow the result:

ASA-ARR# packet-tracer input internal icmp 10.12.20.5 8 0 10.69.0.1 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 200.174.36.1, External

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Internal,External) source static Rede_10.12.20.0 Rede_10.12.20.0 destination static LAN_SPO LAN_SPO no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface External
Untranslate 10.69.0.1/0 to 10.69.0.1/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group GLOBAL-IN global
access-list GLOBAL-IN extended permit ip object-group Redes_Servidores any log
access-list GLOBAL-IN remark CSM_SECTION_END_Liberacao IP e Portas Exchange 1
access-list GLOBAL-IN remark CSM_SECTION_START_Regra Conexao ADP
object-group network Redes_Servidores
network-object object Rede_10.0.10.0
network-object object Rede_10.12.20.0
network-object object Rede_10.70.60.0
network-object object Rede_10.12.19.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5ecce490, priority=12, domain=permit, deny=false
hits=25, user_data=0x7ffe55b0d000, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.12.20.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Internal,External) source static Rede_10.12.20.0 Rede_10.12.20.0 destination static LAN_SPO LAN_SPO no-proxy-arp route-lookup
Additional Information:
Static translate 10.12.20.5/0 to 10.12.20.5/0
Forward Flow based lookup yields rule:
in id=0x7ffe510ad610, priority=6, domain=nat, deny=false
hits=0, user_data=0x7ffe5f8e13c0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.12.20.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.69.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=External

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5dbc8a40, priority=0, domain=nat-per-session, deny=true
hits=69, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5e8c7010, priority=0, domain=inspect-ip-options, deny=true
hits=14, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5f768bb0, priority=70, domain=inspect-icmp, deny=false
hits=1, user_data=0x7ffe5f766e00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5e8c68a0, priority=66, domain=inspect-icmp-error, deny=false
hits=7, user_data=0x7ffe5e8c5e00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=any

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ffe935ff760, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0x7ffe5f972cf0, reverse, flags=0x0, protocol=0
src ip/id=10.12.20.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.69.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=External

Result:
input-interface: Internal
input-status: up
input-line-status: up
output-interface: External
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA-SSP-Pri# sh capture
capture capin type raw-data interface Internal [Capturing - 232 bytes]
match ip 10.69.0.0 255.255.255.0 10.12.20.0 255.255.255.0

Highlighted
Beginner

I think the tunnel was down

I think the tunnel was down run it again.

can you send the following commands from both ASAs 

sh run management-access

Highlighted
Participant

Follow the result:

Follow the result:

ASA-ARR# packet-tracer input internal icmp 10.12.20.5 8 0 10.69.0.1 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 200.174.36.1, External

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Internal,External) source static Rede_10.12.20.0 Rede_10.12.20.0 destination static LAN_SPO LAN_SPO no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface External
Untranslate 10.69.0.1/0 to 10.69.0.1/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group GLOBAL-IN global
access-list GLOBAL-IN extended permit ip object-group Redes_Servidores any log
access-list GLOBAL-IN remark CSM_SECTION_END_Liberacao IP e Portas Exchange 1
access-list GLOBAL-IN remark CSM_SECTION_START_Regra Conexao ADP
object-group network Redes_Servidores
network-object object Rede_10.0.10.0
network-object object Rede_10.12.20.0
network-object object Rede_10.70.60.0
network-object object Rede_10.12.19.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5ecce490, priority=12, domain=permit, deny=false
hits=31, user_data=0x7ffe55b0d000, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.12.20.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Internal,External) source static Rede_10.12.20.0 Rede_10.12.20.0 destination static LAN_SPO LAN_SPO no-proxy-arp route-lookup
Additional Information:
Static translate 10.12.20.5/0 to 10.12.20.5/0
Forward Flow based lookup yields rule:
in id=0x7ffe510ad610, priority=6, domain=nat, deny=false
hits=1, user_data=0x7ffe5f8e13c0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.12.20.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.69.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=External

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5dbc8a40, priority=0, domain=nat-per-session, deny=true
hits=73, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5e8c7010, priority=0, domain=inspect-ip-options, deny=true
hits=15, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5f768bb0, priority=70, domain=inspect-icmp, deny=false
hits=2, user_data=0x7ffe5f766e00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5e8c68a0, priority=66, domain=inspect-icmp-error, deny=false
hits=8, user_data=0x7ffe5e8c5e00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=any

Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ffe5eaafe50, priority=70, domain=encrypt, deny=false
hits=6, user_data=0xb87c, cs_id=0x7ffe5f972cf0, reverse, flags=0x0, protocol=0
src ip/id=10.12.20.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.69.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=External

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Internal,External) source static Rede_10.12.20.0 Rede_10.12.20.0 destination static LAN_SPO LAN_SPO no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ffe5f970df0, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0x7ffe5f8e14d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.12.20.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.69.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=External

Phase: 11
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ffe5d8ecec0, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=6, user_data=0xd5b4, cs_id=0x7ffe5f972cf0, reverse, flags=0x0, protocol=0
src ip/id=10.69.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.12.20.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=External, output_ifc=any

Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ffe5dbc8a40, priority=0, domain=nat-per-session, deny=true
hits=75, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ffe5e844bc0, priority=0, domain=inspect-ip-options, deny=true
hits=553, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=External, output_ifc=any

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 480, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Internal
input-status: up
input-line-status: up
output-interface: External
output-status: up
output-line-status: up
Action: allow

ASA-ARR# sh run management-access
management-access Internal

!

ASA-SSP-Pri# sh run management-access
management-access Internal

Highlighted
Beginner

also show run icmp

also show run icmp

Highlighted
Participant

Follow:

Follow:

ASA-ARR# sh run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any External
icmp permit any Internal
icmp permit any Lan1
icmp permit any Lan2

!

ASA-SSP-Pri# sh run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any External
icmp permit any Internal
icmp permit any Lan1
icmp permit any Lan3