08-14-2008 01:22 PM - edited 03-11-2019 06:31 AM
ASA5505-ROFL-(config)# packet-tracer input ROFLside icmp 172.17.171.2 8$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 VPNside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ROFL_allow in interface ROFLside
access-list ROFL_allow extended permit icmp 172.17.171.0 255.255.255.0 10.123.0.0 255.255.0.0
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (ROFLside,VPNside) 172.17.171.2 172.17.171.2 netmask 255.255.255.255
match ip ROFLside host 172.17.171.2 VPNside any
static translation to 172.17.171.2
translate_hits = 1339, untranslate_hits = 728
Additional Information:
Static translate 172.17.171.2/0 to 172.17.171.2/0 using netmask 255.255.255.255
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (ROFLside,VPNside) 172.17.171.2 172.17.171.2 netmask 255.255.255.255
match ip ROFLside host 172.17.171.2 VPNside any
static translation to 172.17.171.2
translate_hits = 1339, untranslate_hits = 728
Additional Information:
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group VPN_deny out interface VPNside
access-list VPN_deny extended deny ip 172.17.171.0 255.255.255.0 any
Additional Information:
Result:
input-interface: ROFLside
input-status: up
input-line-status: up
output-interface: VPNside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Shouldnt my 172.17.171.0 traffic be encrypted inside an ipsec packet with the VPNside ip address (172.17.168.0) in its headers, thus allowing it to get past my egress rule (VPN_deny)?????
08-16-2008 11:11 PM
No the ASA still checks the VPN interesting traffic even at the outbound/egress interface. You will find that packets will be decrypted but not encrypted with this setup.
Regards
Farrukh
08-17-2008 09:47 AM
Why does it show phase 8 as encrypting traffic? Does the firewall decrypt the traffic to pass the egress ACL and then re-encrypt?
08-17-2008 11:54 AM
Try to run a packet-tracer after allowing the traffic in the ACL, maybe there is another step after the ACL check for encryption (besides step 8 which is not so clear).
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide