DAYASA# packet-tracer input DMZ1 udp 192.168.0.25 1025 192.168.200.21 53 detailed Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: static (Inside,DMZ1) 192.168.200.0 192.168.200.0 netmask 255.255.248.0 match ip Inside 192.168.200.0 255.255.248.0 DMZ1 any static translation to 192.168.200.0 translate_hits = 8574, untranslate_hits = 18355 Additional Information: NAT divert to egress interface Inside Untranslate 192.168.200.0/0 to 192.168.200.0/0 using netmask 255.255.248.0 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group dmz1 in interface DMZ1 access-list dmz1 extended permit udp 192.168.0.0 255.255.0.0 host 192.168.200.21 eq domain Additional Information: Forward Flow based lookup yields rule: in id=0xd56a47a0, priority=12, domain=permit, deny=false hits=0, user_data=0xd5dfe3f0, cs_id=0x0, flags=0x0, protocol=17 src ip=192.168.0.0, mask=255.255.0.0, port=0 dst ip=192.168.200.21, mask=255.255.255.255, port=53 Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xd55ef9c0, priority=0, domain=permit-ip-option, deny=true hits=88313, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 5 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0xd5c5c2c8, priority=70, domain=inspect-dns-np, deny=false hits=1526, user_data=0xd5c5b8e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=17 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=53 Phase: 6 Type: NAT Subtype: host-limits Result: ALLOW Config: static (DMZ1,Outside) 65.118.6.150 192.168.0.25 netmask 255.255.255.255 match ip DMZ1 host 192.168.0.25 Outside any static translation to 65.118.6.150 translate_hits = 837, untranslate_hits = 1001 Additional Information: Forward Flow based lookup yields rule: in id=0xd56a4f48, priority=5, domain=host, deny=false hits=20758, user_data=0xd56a4038, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.0.25, mask=255.255.255.255, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 7 Type: NAT Subtype: rpf-check Result: ALLOW Config: static (Inside,DMZ1) 192.168.200.0 192.168.200.0 netmask 255.255.248.0 match ip Inside 192.168.200.0 255.255.248.0 DMZ1 any static translation to 192.168.200.0 translate_hits = 8574, untranslate_hits = 18355 Additional Information: Forward Flow based lookup yields rule: out id=0xd56ae288, priority=5, domain=nat-reverse, deny=false hits=18053, user_data=0xd56ac010, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=192.168.200.0, mask=255.255.248.0, port=0 Phase: 8 Type: NAT Subtype: host-limits Result: ALLOW Config: static (Inside,DMZ1) 192.168.200.0 192.168.200.0 netmask 255.255.248.0 match ip Inside 192.168.200.0 255.255.248.0 DMZ1 any static translation to 192.168.200.0 translate_hits = 8574, untranslate_hits = 18356 Additional Information: Reverse Flow based lookup yields rule: in id=0xd56ae3b8, priority=5, domain=host, deny=false hits=419027, user_data=0xd56ac010, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.200.0, mask=255.255.248.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 9 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xd55c2ac0, priority=0, domain=permit-ip-option, deny=true hits=450340, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0 Phase: 10 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 542517, packet dispatched to next module Module information for forward flow ... snp_fp_inspect_ip_options snp_fp_inspect_dns snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_fp_tracer_drop snp_ifc_stat Module information for reverse flow ... snp_fp_inspect_ip_options snp_fp_translate snp_fp_inspect_dns snp_fp_adjacency snp_fp_fragment snp_fp_tracer_drop snp_ifc_stat Result: input-interface: DMZ1 input-status: up input-line-status: up output-interface: Inside output-status: up output-line-status: up Action: drop Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet ------------------------------------------------------ DAYASA# show run all policy-map ! policy-map type inspect rtsp _default_rtsp_map description Default RTSP policymap parameters policy-map type inspect h323 _default_h323_map description Default H.323 policymap parameters no rtp-conformance policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 no message-length maximum server no message-length maximum client dns-guard protocol-enforcement nat-rewrite no id-randomization no id-mismatch no tsig enforced policy-map type inspect esmtp _default_esmtp_map description Default ESMTP policy-map parameters mask-banner no mail-relay no special-character no allow-tls match cmd line length gt 512 drop-connection match cmd RCPT count gt 100 drop-connection match body line length gt 1000 log match header line length gt 1000 drop-connection match sender-address length gt 320 drop-connection match MIME filename length gt 255 drop-connection match ehlo-reply-parameter others mask policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 _default_h323_map inspect h323 ras _default_h323_map inspect rsh inspect rtsp inspect esmtp _default_esmtp_map inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp class class-default policy-map type inspect sip _default_sip_map description Default SIP policymap parameters im no ip-address-privacy traffic-non-sip no rtp-conformance policy-map type inspect dns _default_dns_map description Default DNS policy-map parameters no message-length maximum no message-length maximum server no message-length maximum client dns-guard protocol-enforcement nat-rewrite no id-randomization no id-mismatch no tsig enforced policy-map type inspect ipsec-pass-thru _default_ipsec_passthru_map description Default IPSEC-PASS-THRU policy-map parameters esp per-client-max 0 timeout 0:10:00 policy-map IDS-POLICY class IDS-CLASS ips inline fail-close class class-default !