Blocked traffic flow..

Unanswered Question

I get the same results pinging in eiter direction through the VPN tunnel (tunnel is working fine) below is a trace and included is the config.

HO1ASA02# packet-trace input inside icmp 10.1.6.121 3 1 10.60.50.1

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 Outside

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.1.0.0 255.255.240.0 Inside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group Inside_access_in in interface Inside

access-list Inside_access_in extended permit ip object-group IT_DEPT any

object-group network IT_DEPT

description: IT IP Address Group 10.1.6.0/24

network-object 10.1.6.0 255.255.255.0

network-object host 10.1.7.166

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: IDS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat (Inside) 0 access-list nat0

nat-control

match ip Inside any Outside 10.60.50.0 255.255.255.0

NAT exempt

translate_hits = 6, untranslate_hits = 200

Additional Information:

Phase: 10

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip Inside any Outside any

dynamic translation to pool 1 (*.*.*.70)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 11

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (Inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip Inside any Outside any

dynamic translation to pool 1 (63.85.131.70)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 12

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
brettmilborrow Thu, 03/06/2008 - 08:30

Your routing is not configured correctly:

Result:

input-interface: Inside

output-interface: Inside

Check that you have reverse-route configured on your crypto map entry, or manually add the routes your firewall.

Actions

This Discussion