01-11-2016 09:26 AM
I have a VPN tunnel that's coming up ok, capture shows the traffic hitting the inside interface, but nothing is getting to the next hop. When I do a packet trace the traffic fails:
QUI-GHP-VFW-001-2# pac input outside raw 172.17.60.134 1 8.39.192.13 de
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f98e196d260, priority=13, domain=capture, deny=false
hits=1704160305, user_data=0x7f98c5ba4370, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f98e12a02e0, priority=1, domain=permit, deny=false
hits=4203714125, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (MOB-INSIDE,outside) source static VMCS_VS_EXIM_SMTP OBJ-8.39.192.13 destination static COX_East-NETWORK COX_East-NETWORK
Additional Information:
NAT divert to egress interface MOB-INSIDE
Untranslate 8.39.192.13/0 to 10.53.24.65/0
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f98e1dd6200, priority=11, domain=permit, deny=true
hits=9059, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: MOB-INSIDE
output-status: up
output-line-status: up
Action: drop
I assume phase 2 is the ACL defining the interesting traffic, but I have no idea what ACL phase 4 is refering to. Can anyone help with this?
01-11-2016 11:38 AM
Please use the following link -
https://supportforums.cisco.com/discussion/12746306/vpn-traffic-flow-through-asa
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide