Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

egress rule applied BEFORE traffic is encrypted?

ASA5505-ROFL-(config)# packet-tracer input ROFLside icmp 172.17.171.2 8$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 VPNside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group ROFL_allow in interface ROFLside

access-list ROFL_allow extended permit icmp 172.17.171.0 255.255.255.0 10.123.0.0 255.255.0.0

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

static (ROFLside,VPNside) 172.17.171.2 172.17.171.2 netmask 255.255.255.255

match ip ROFLside host 172.17.171.2 VPNside any

static translation to 172.17.171.2

translate_hits = 1339, untranslate_hits = 728

Additional Information:

Static translate 172.17.171.2/0 to 172.17.171.2/0 using netmask 255.255.255.255

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (ROFLside,VPNside) 172.17.171.2 172.17.171.2 netmask 255.255.255.255

match ip ROFLside host 172.17.171.2 VPNside any

static translation to 172.17.171.2

translate_hits = 1339, untranslate_hits = 728

Additional Information:

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: ACCESS-LIST

Subtype: log

Result: DROP

Config:

access-group VPN_deny out interface VPNside

access-list VPN_deny extended deny ip 172.17.171.0 255.255.255.0 any

Additional Information:

Result:

input-interface: ROFLside

input-status: up

input-line-status: up

output-interface: VPNside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Shouldnt my 172.17.171.0 traffic be encrypted inside an ipsec packet with the VPNside ip address (172.17.168.0) in its headers, thus allowing it to get past my egress rule (VPN_deny)?????

3 REPLIES

Re: egress rule applied BEFORE traffic is encrypted?

No the ASA still checks the VPN interesting traffic even at the outbound/egress interface. You will find that packets will be decrypted but not encrypted with this setup.

Regards

Farrukh

Community Member

Re: egress rule applied BEFORE traffic is encrypted?

Why does it show phase 8 as encrypting traffic? Does the firewall decrypt the traffic to pass the egress ACL and then re-encrypt?

Re: egress rule applied BEFORE traffic is encrypted?

Try to run a packet-tracer after allowing the traffic in the ACL, maybe there is another step after the ACL check for encryption (besides step 8 which is not so clear).

Regards

Farrukh

279
Views
0
Helpful
3
Replies
CreatePlease to create content