02-03-2016 04:18 AM
Dear friends,
I made a site-to-site VPN using 02 ASA 5555 in each site running Software Version 9.2(4).
The VPN is UP, as show below:
ASA-SSP-Pri(config)# sh isak sa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
268373031 201.23.100.130/500 200.174.36.19/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/272 sec
Child sa: local selector 10.69.0.0/0 - 10.69.0.255/65535
remote selector 10.12.20.0/0 - 10.12.20.255/65535
ESP spi in/out: 0xf89430e6/0x86a5cd8f
But when I try to ping from one site to another, is not possible, the result of the ping is "????"
I made some research about this problem and many people say that is missing crypto isakmp nat-traversal 20 command, but this command is alredy enable.
NAT Exempt is enable and I made tests disabling as well.
Solved! Go to Solution.
02-03-2016 09:58 AM
Hello,
The only last thing I would think is that there is a duplicate SPI on the asp table and that is why the traffic is not encrypted everything looks correct run the following command on the ASA:
clear crypto ipsec sa inactive
test again
02-03-2016 04:42 AM
Hello,
Can you add the output of the command "show crypto ipsec sa" from both sides
Regards,
02-03-2016 05:08 AM
Diego,
Follow the result:
ASA-ARR# show crypto ipsec sa
interface: External
Crypto map tag: External_map, seq num: 1, local addr: 200.174.36.19
access-list External_cryptomap extended permit ip 10.12.20.0 255.255.255.0 10.69.0.0 255.255.255.0
local ident (addr/mask/prot/port): (10.12.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.69.0.0/255.255.255.0/0/0)
current_peer: 201.23.100.130
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 200.174.36.19/500, remote crypto endpt.: 201.23.100.130/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 3AD05183
current inbound spi : 79F03853
inbound esp sas:
spi: 0x79F03853 (2045786195)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 12288, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (4147200/28778)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x3AD05183 (986730883)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 12288, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (4285439/28778)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA-SSP-Pri# show crypto ipsec sa
interface: Lan1
Crypto map tag: Lan1_map, seq num: 1, local addr: 201.23.100.130
access-list Lan1_cryptomap_2 extended permit ip 10.69.0.0 255.255.255.0 10.12.20.0 255.255.255.0
local ident (addr/mask/prot/port): (10.69.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.12.20.0/255.255.255.0/0/0)
current_peer: 200.174.36.19
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 201.23.100.130/500, remote crypto endpt.: 200.174.36.19/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 79F03853
current inbound spi : 3AD05183
inbound esp sas:
spi: 0x3AD05183 (986730883)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 40153088, crypto-map: Lan1_map
sa timing: remaining key lifetime (kB/sec): (4101119/28730)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x79F03853 (2045786195)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 40153088, crypto-map: Lan1_map
sa timing: remaining key lifetime (kB/sec): (4055040/28730)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
02-03-2016 05:15 AM
If the SA is not up that means that the tunnel is not properly established something is falling in the Phase 2 negotiation, check interesting traffic make sure is matching on both sides also check the transform set proposals.
02-03-2016 05:35 AM
ASA-ARR#
access-list External_cryptomap extended permit ip object Rede_10.12.20.0 object LAN_SPO (This last object is 10.69.0.0/24).
crypto map External_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
ASA-SSP-Pri#
access-list Lan1_cryptomap_2 extended permit ip 10.69.0.0 255.255.255.0 object Vlan_1020_Datacenter (10.12.20.0/24)
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Lan1_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
!
crypto map Lan1_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5.
Is the same, ASA-SSP-Pri# have 03 transform-set because I have other VPN, but is not active yet.
02-03-2016 05:41 AM
Can you set a capture on the inside interface "or whatever interface 10.69.0.0/24 resides"on ASA "ASA-SSP-Pri"
capture capin interface inside match ip 10.69.0.0 255.255.255.0 10.12.20.0 255.255.255.0
send some traffic over the tunnel and do a "show capture capin"
this is to verify that the traffic is coming back to the ASA because I don't see any encaps on the tunnel on ASA "ASA-SSP-Pri" side if you do see the replay traffic from 10.69.0.0 to 10.12.20.0 on the inside interface check for other tunnel's interesting traffic you might have overlapping networks.
02-03-2016 05:51 AM
ASA-SSP-Pri# show capture capin
0 packet captured
0 packet shown
I´m trying to ping from one ASA to another, because both ASA are not in production yet, for this reason, there is no machine behind the firewall to send some traffic.
02-03-2016 06:35 AM
if you are pinging from inside to inside make sure that you have management access enabled on the interface so the ASA can replay the traffic
"management-access inside"
can you also run the following packet tracer on ASA "ASA-SSP-Pri"
packet-tracer input inside icmp 10.69.0.5 8 0 10.12.20.8 detailed
02-03-2016 06:52 AM
ASA-ARR# packet-tracer input internal icmp 10.12.20.1 8 0 10.69.0.1 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5e8bec30, priority=1, domain=permit, deny=false
hits=2764452, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Internal, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 200.174.36.1, External
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Internal,External) source static Rede_10.12.20.0 Rede_10.12.20.0 destination static LAN_SPO LAN_SPO no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface External
Untranslate 10.69.0.1/0 to 10.69.0.1/0
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5d8c3130, priority=500, domain=permit, deny=true
hits=7, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.12.20.1, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=any
Result:
input-interface: Internal
input-status: up
input-line-status: up
output-interface: External
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
There is rule allow the traffic, but for some reason the log show:
%ASA-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.
02-03-2016 09:26 AM
don't use the IP assigned to the interface in the packet tracer use a different otherwise we will see this acl-drop
try with .5 or something different as the source IP
Thanks
02-03-2016 09:30 AM
Sorry, follow the result:
ASA-ARR# packet-tracer input internal icmp 10.12.20.5 8 0 10.69.0.1 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 200.174.36.1, External
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Internal,External) source static Rede_10.12.20.0 Rede_10.12.20.0 destination static LAN_SPO LAN_SPO no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface External
Untranslate 10.69.0.1/0 to 10.69.0.1/0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group GLOBAL-IN global
access-list GLOBAL-IN extended permit ip object-group Redes_Servidores any log
access-list GLOBAL-IN remark CSM_SECTION_END_Liberacao IP e Portas Exchange 1
access-list GLOBAL-IN remark CSM_SECTION_START_Regra Conexao ADP
object-group network Redes_Servidores
network-object object Rede_10.0.10.0
network-object object Rede_10.12.20.0
network-object object Rede_10.70.60.0
network-object object Rede_10.12.19.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5ecce490, priority=12, domain=permit, deny=false
hits=25, user_data=0x7ffe55b0d000, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.12.20.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Internal,External) source static Rede_10.12.20.0 Rede_10.12.20.0 destination static LAN_SPO LAN_SPO no-proxy-arp route-lookup
Additional Information:
Static translate 10.12.20.5/0 to 10.12.20.5/0
Forward Flow based lookup yields rule:
in id=0x7ffe510ad610, priority=6, domain=nat, deny=false
hits=0, user_data=0x7ffe5f8e13c0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.12.20.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.69.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=External
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5dbc8a40, priority=0, domain=nat-per-session, deny=true
hits=69, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5e8c7010, priority=0, domain=inspect-ip-options, deny=true
hits=14, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5f768bb0, priority=70, domain=inspect-icmp, deny=false
hits=1, user_data=0x7ffe5f766e00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=any
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5e8c68a0, priority=66, domain=inspect-icmp-error, deny=false
hits=7, user_data=0x7ffe5e8c5e00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=any
Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ffe935ff760, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0x7ffe5f972cf0, reverse, flags=0x0, protocol=0
src ip/id=10.12.20.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.69.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=External
Result:
input-interface: Internal
input-status: up
input-line-status: up
output-interface: External
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA-SSP-Pri# sh capture
capture capin type raw-data interface Internal [Capturing - 232 bytes]
match ip 10.69.0.0 255.255.255.0 10.12.20.0 255.255.255.0
02-03-2016 09:43 AM
I think the tunnel was down run it again.
can you send the following commands from both ASAs
sh run management-access
02-03-2016 09:48 AM
Follow the result:
ASA-ARR# packet-tracer input internal icmp 10.12.20.5 8 0 10.69.0.1 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 200.174.36.1, External
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Internal,External) source static Rede_10.12.20.0 Rede_10.12.20.0 destination static LAN_SPO LAN_SPO no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface External
Untranslate 10.69.0.1/0 to 10.69.0.1/0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group GLOBAL-IN global
access-list GLOBAL-IN extended permit ip object-group Redes_Servidores any log
access-list GLOBAL-IN remark CSM_SECTION_END_Liberacao IP e Portas Exchange 1
access-list GLOBAL-IN remark CSM_SECTION_START_Regra Conexao ADP
object-group network Redes_Servidores
network-object object Rede_10.0.10.0
network-object object Rede_10.12.20.0
network-object object Rede_10.70.60.0
network-object object Rede_10.12.19.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5ecce490, priority=12, domain=permit, deny=false
hits=31, user_data=0x7ffe55b0d000, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.12.20.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Internal,External) source static Rede_10.12.20.0 Rede_10.12.20.0 destination static LAN_SPO LAN_SPO no-proxy-arp route-lookup
Additional Information:
Static translate 10.12.20.5/0 to 10.12.20.5/0
Forward Flow based lookup yields rule:
in id=0x7ffe510ad610, priority=6, domain=nat, deny=false
hits=1, user_data=0x7ffe5f8e13c0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.12.20.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.69.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=External
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5dbc8a40, priority=0, domain=nat-per-session, deny=true
hits=73, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5e8c7010, priority=0, domain=inspect-ip-options, deny=true
hits=15, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5f768bb0, priority=70, domain=inspect-icmp, deny=false
hits=2, user_data=0x7ffe5f766e00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=any
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffe5e8c68a0, priority=66, domain=inspect-icmp-error, deny=false
hits=8, user_data=0x7ffe5e8c5e00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=any
Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ffe5eaafe50, priority=70, domain=encrypt, deny=false
hits=6, user_data=0xb87c, cs_id=0x7ffe5f972cf0, reverse, flags=0x0, protocol=0
src ip/id=10.12.20.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.69.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=External
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Internal,External) source static Rede_10.12.20.0 Rede_10.12.20.0 destination static LAN_SPO LAN_SPO no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ffe5f970df0, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0x7ffe5f8e14d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.12.20.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.69.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=Internal, output_ifc=External
Phase: 11
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ffe5d8ecec0, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=6, user_data=0xd5b4, cs_id=0x7ffe5f972cf0, reverse, flags=0x0, protocol=0
src ip/id=10.69.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.12.20.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=External, output_ifc=any
Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ffe5dbc8a40, priority=0, domain=nat-per-session, deny=true
hits=75, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ffe5e844bc0, priority=0, domain=inspect-ip-options, deny=true
hits=553, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=External, output_ifc=any
Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 480, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Internal
input-status: up
input-line-status: up
output-interface: External
output-status: up
output-line-status: up
Action: allow
ASA-ARR# sh run management-access
management-access Internal
!
ASA-SSP-Pri# sh run management-access
management-access Internal
02-03-2016 09:44 AM
also show run icmp
02-03-2016 09:49 AM
Follow:
ASA-ARR# sh run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any External
icmp permit any Internal
icmp permit any Lan1
icmp permit any Lan2
!
ASA-SSP-Pri# sh run icmp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any External
icmp permit any Internal
icmp permit any Lan1
icmp permit any Lan3
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: