Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
3
Replies

egress rule applied BEFORE traffic is encrypted?

slug420
Level 1
Level 1

‎08-14-2008 01:22 PM - edited ‎03-11-2019 06:31 AM

ASA5505-ROFL-(config)# packet-tracer input ROFLside icmp 172.17.171.2 8$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 VPNside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group ROFL_allow in interface ROFLside

access-list ROFL_allow extended permit icmp 172.17.171.0 255.255.255.0 10.123.0.0 255.255.0.0

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

static (ROFLside,VPNside) 172.17.171.2 172.17.171.2 netmask 255.255.255.255

match ip ROFLside host 172.17.171.2 VPNside any

static translation to 172.17.171.2

translate_hits = 1339, untranslate_hits = 728

Additional Information:

Static translate 172.17.171.2/0 to 172.17.171.2/0 using netmask 255.255.255.255

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (ROFLside,VPNside) 172.17.171.2 172.17.171.2 netmask 255.255.255.255

match ip ROFLside host 172.17.171.2 VPNside any

static translation to 172.17.171.2

translate_hits = 1339, untranslate_hits = 728

Additional Information:

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group VPN_deny out interface VPNside

access-list VPN_deny extended deny ip 172.17.171.0 255.255.255.0 any

Additional Information:

Result:

input-interface: ROFLside

input-status: up

input-line-status: up

output-interface: VPNside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Shouldnt my 172.17.171.0 traffic be encrypted inside an ipsec packet with the VPNside ip address (172.17.168.0) in its headers, thus allowing it to get past my egress rule (VPN_deny)?????

Labels:
0 Helpful
3 Replies 3

Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-16-2008 11:11 PM

No the ASA still checks the VPN interesting traffic even at the outbound/egress interface. You will find that packets will be decrypted but not encrypted with this setup.

Regards

Farrukh

0 Helpful

slug420
Level 1
Level 1
In response to Farrukh Haroon

‎08-17-2008 09:47 AM

Why does it show phase 8 as encrypting traffic? Does the firewall decrypt the traffic to pass the egress ACL and then re-encrypt?

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to slug420

‎08-17-2008 11:54 AM

Try to run a packet-tracer after allowing the traffic in the ACL, maybe there is another step after the ACL check for encryption (besides step 8 which is not so clear).

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card