Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Blocked traffic flow..

I get the same results pinging in eiter direction through the VPN tunnel (tunnel is working fine) below is a trace and included is the config.

HO1ASA02# packet-trace input inside icmp 10.1.6.121 3 1 10.60.50.1

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 Outside

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.1.0.0 255.255.240.0 Inside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group Inside_access_in in interface Inside

access-list Inside_access_in extended permit ip object-group IT_DEPT any

object-group network IT_DEPT

description: IT IP Address Group 10.1.6.0/24

network-object 10.1.6.0 255.255.255.0

network-object host 10.1.7.166

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: IDS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat (Inside) 0 access-list nat0

nat-control

match ip Inside any Outside 10.60.50.0 255.255.255.0

NAT exempt

translate_hits = 6, untranslate_hits = 200

Additional Information:

Phase: 10

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (Inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip Inside any Outside any

dynamic translation to pool 1 (*.*.*.70)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 11

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (Inside) 1 0.0.0.0 0.0.0.0

nat-control

match ip Inside any Outside any

dynamic translation to pool 1 (63.85.131.70)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 12

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

1 REPLY
New Member

Re: Blocked traffic flow..

Your routing is not configured correctly:

Result:

input-interface: Inside

output-interface: Inside

Check that you have reverse-route configured on your crypto map entry, or manually add the routes your firewall.

228
Views
0
Helpful
1
Replies