hub-fw#packet-tracer input outside icmp 10.15.1.201 8 0 10.15.2.201 detailed Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 10.15.1.201 255.255.255.255 outside Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group aclOUT-IN in interface outside access-list aclOUT-IN extended permit ip 10.15.0.0 255.255.0.0 10.15.0.0 255.255.0.0 Additional Information: Forward Flow based lookup yields rule: in id=0xcdc3ccd8, priority=12, domain=permit, deny=false hits=14, user_data=0xcdc3cc98, cs_id=0x0, flags=0x0, protocol=0 src ip=10.15.1.0, mask=255.255.255.0, port=0 dst ip=10.15.2.0, mask=255.255.255.0, port=0, dscp=0x0 Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xc9405dd8, priority=0, domain=permit-ip-option, deny=true hits=7643022, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 5 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map cmINSPECT-DFLT match default-inspection-traffic policy-map pmGLOBAL class cmINSPECT-DFLT inspect icmp service-policy pmGLOBAL global Additional Information: Forward Flow based lookup yields rule: in id=0xc8db0e00, priority=70, domain=inspect-icmp, deny=false hits=33634, user_data=0xc94befc8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 6 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xcf310498, priority=69, domain=ipsec-tunnel-flow, deny=false hits=879, user_data=0x264f04, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=10.15.1.201, mask=255.255.255.255, port=0 dst ip=10.15.0.0, mask=255.255.0.0, port=0, dscp=0x0 Phase: 7 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xc9404c40, priority=66, domain=inspect-icmp-error, deny=false hits=36302, user_data=0xc9404b70, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 8 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0xcdba6f60, priority=70, domain=encrypt, deny=false hits=882, user_data=0x269d9c, cs_id=0xca851590, reverse, flags=0x0, protocol=0 src ip=10.15.0.0, mask=255.255.0.0, port=0 dst ip=10.15.2.201, mask=255.255.255.255, port=0, dscp=0x0 Phase: 9 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xcf22f068, priority=69, domain=ipsec-tunnel-flow, deny=false hits=882, user_data=0x26ea9c, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=10.15.2.201, mask=255.255.255.255, port=0 dst ip=10.15.0.0, mask=255.255.0.0, port=0, dscp=0x0 Phase: 10 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xc9405dd8, priority=0, domain=permit-ip-option, deny=true hits=7643023, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 11 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: out id=0xcf4658c8, priority=70, domain=encrypt, deny=false hits=879, user_data=0x2632a4, cs_id=0xcda55188, reverse, flags=0x0, protocol=0 src ip=10.15.0.0, mask=255.255.0.0, port=0 dst ip=10.15.1.201, mask=255.255.255.255, port=0, dscp=0x0 Result: input-interface: outside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (ipsec-spoof) IPSEC Spoof detected