1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:
431:
432:
433:
434:
435:
436:
437:
438:
439:
440:
441:
442:
443:
444:
445:
446:
447:
448:
449:
450:
451:
452:
453:
454:
455:
456:
457:
458:
459:
460:
461:
462:
463:
464:
465:
466:
467:
468:
469:
470:
471:
472:
473:
474:
475:
476:
477:
478:
479:
480:
481:
482:
483:
484:
485:
486:
487:
488:
489:
490:
491:
492:
493:
494:
495:
496:
497:
498:
499:
500:
501:
502:
503:
504:
505:
506:
507:
508:
509:
510:
511:
512:
513:
514:
515:
516:
517:
518:
519:
520:
521:
522:
523:
524:
525:
526:
527:
528:
529:
530:
531:
532:
533:
534:
535:
536:
537:
538:
539:
540:
541:
542:
543:
544:
545:
546:
547:
548:
549:
550:
551:
552:
553:
554:
555:
556:
557:
558:
559:
560:
561:
562:
563:
564:
565:
566:
567:
568:
569:
570:
571:
572:
573:
574:
575:
576:
577:
578:
579:
580:
581:
582:
583:
584:
585:
586:
587:
588:
589:
590:
591:
592:
593:
594:
595:
596:
597:
598:
599:
600:
601:
602:
603:
604:
605:
606:
607:
608:
609:
610:
611:
612:
613:
614:
615:
616:
617:
618:
619:
620:
621:
622:
623:
624:
625:
626:
627:
628:
629:
630:
631:
632:
633:
634:
635:
636:
637:
638:
639:
640:
641:
642:
643:
644:
645:
|
ciscoasa(config)# sh ver
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)53
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 24 mins 53 secs
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is 001e.7aac.3ca3, irq 11
1: Ext: Ethernet0/0 : address is 001e.7aac.3c9b, irq 255
2: Ext: Ethernet0/1 : address is 001e.7aac.3c9c, irq 255
3: Ext: Ethernet0/2 : address is 001e.7aac.3c9d, irq 255
4: Ext: Ethernet0/3 : address is 001e.7aac.3c9e, irq 255
5: Ext: Ethernet0/4 : address is 001e.7aac.3c9f, irq 255
6: Ext: Ethernet0/5 : address is 001e.7aac.3ca0, irq 255
7: Ext: Ethernet0/6 : address is 001e.7aac.3ca1, irq 255
8: Ext: Ethernet0/7 : address is 001e.7aac.3ca2, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Serial Number: JMX1151Z0M2
Running Activation Key: 0xcb3a555b 0x00a9f0ce 0xfc53cd14 0xa52820cc 0x492b92b3
Configuration register is 0x1
Configuration last modified by enable_15 at 18:49:48.849 UTC Tue Jul 6 2010
ciscoasa(config)# sh run
: Saved
:
ASA Version 8.2(2)
!
terminal width 120
hostname ciscoasa
enable password T6L9kwXy8yD66Ci8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.0.10 255.255.252.0
!
interface Vlan2
nameif outside
security-level 0
ip address 213.x.x.8 255.255.255.0
!
interface Vlan3
no forward interface Vlan2
nameif outside_old
security-level 0
ip address 62.x.x.159 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
description RESERVED
shutdown
!
interface Ethernet0/3
description RESERVED
shutdown
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
access-list N0_INSIDE remark Entries in this list will be exempt from NAT
access-list N0_INSIDE extended permit ip 172.16.0.0 255.255.252.0 192.15.15.0 255.255.255.0
access-list AG_OUTSIDE_IN remark Traffic allowed into the outside interface
access-list AG_OUTSIDE_IN extended permit icmp any any
access-list AG_INSIDE_IN remark Traffic allowed into the inside interface
access-list AG_INSIDE_IN extended permit tcp any host 192.14.14.20 eq smtp
access-list AG_INSIDE_IN extended permit tcp any host 80.x.x.52 eq smtp
access-list AG_INSIDE_IN extended deny tcp any any eq smtp
access-list AG_INSIDE_IN extended permit ip any any
access-list AG_OUTOLD_IN remark Traffic allowed into the outside_old interface
access-list AG_OUTOLD_IN extended permit icmp any any
access-list VPN_GATESHEAD remark VPN traffic to/from Gateshead office
access-list VPN_GATESHEAD extended permit ip 172.16.0.0 255.255.252.0 192.15.15.0 255.255.255.0
pager lines 22
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu outside_old 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 10 interface
global (outside_old) 10 interface
nat (inside) 0 access-list N0_INSIDE
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0
static (inside,outside_old) 192.14.14.0 172.16.0.0 netmask 255.255.255.0
access-group AG_INSIDE_IN in interface inside
access-group AG_OUTSIDE_IN in interface outside
access-group AG_OUTOLD_IN in interface outside_old
route outside 0.0.0.0 0.0.0.0 213.x.x.1 1
route outside_old 192.15.15.0 255.255.255.0 62.x.x.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.0.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CM_OUTOLD 10 match address VPN_GATESHEAD
crypto map CM_OUTOLD 10 set pfs
crypto map CM_OUTOLD 10 set peer 82.x.x.219
crypto map CM_OUTOLD 10 set transform-set ESP-AES256-MD5
crypto map CM_OUTOLD 10 set security-association lifetime seconds 3600
crypto map CM_OUTOLD interface outside_old
crypto isakmp identity address
crypto isakmp enable outside_old
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 28800
crypto isakmp ipsec-over-tcp port 10000
telnet 172.16.0.0 255.255.252.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 120 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 120 retry 2
tunnel-group 82.163.120.219 type ipsec-l2l
tunnel-group 82.163.120.219 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:cf43aed8a7a87ca9205c2faffb0567c1
: end
ciscoasa(config)# packet-trace in inside tcp 172.16.1.100 43563 1.2.3.4 www det
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group AG_INSIDE_IN in interface inside
access-list AG_INSIDE_IN extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81ee740, priority=12, domain=permit, deny=false
hits=5, user_data=0xd64d2b40, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8135a08, priority=0, domain=inspect-ip-options, deny=true
hits=49, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 10 (213.48.16.8 [Interface PAT])
translate_hits = 2, untranslate_hits = 0
Additional Information:
Dynamic translate 172.16.1.100/43563 to 213.48.16.8/61556 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xd81ebb58, priority=1, domain=nat, deny=false
hits=2, user_data=0xd81eba98, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 10 (172.16.0.10 [Interface PAT])
translate_hits = 3, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81eb6a8, priority=1, domain=host, deny=false
hits=33, user_data=0xd81eb290, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd8186830, priority=0, domain=inspect-ip-options, deny=true
hits=2, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 20, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
ciscoasa(config)# packet-trace in inside tcp 172.16.1.100 43563 1.2.3.4 www det
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0
match ip inside 172.16.0.0 255.255.255.0 inside any
static translation to 192.14.14.0
translate_hits = 0, untranslate_hits = 7
Additional Information:
NAT divert to egress interface inside
Untranslate 192.14.14.0/0 to 172.16.0.0/0 using netmask 255.255.255.0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group AG_INSIDE_IN in interface inside
access-list AG_INSIDE_IN extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81ee740, priority=12, domain=permit, deny=false
hits=6, user_data=0xd64d2b40, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8135a08, priority=0, domain=inspect-ip-options, deny=true
hits=50, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 10 (172.16.0.10 [Interface PAT])
translate_hits = 4, untranslate_hits = 0
Additional Information:
Dynamic translate 172.16.1.100/43563 to 172.16.0.10/25517 using netmask 255.255.255.255
Forward Flow based lookup yields rule:
in id=0xd81eb350, priority=1, domain=nat, deny=false
hits=4, user_data=0xd81eb290, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 10 (172.16.0.10 [Interface PAT])
translate_hits = 4, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81eb6a8, priority=1, domain=host, deny=false
hits=34, user_data=0xd81eb290, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0
match ip inside 172.16.0.0 255.255.255.0 inside any
static translation to 192.14.14.0
translate_hits = 0, untranslate_hits = 7
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd81efdb8, priority=5, domain=nat-reverse, deny=false
hits=4, user_data=0xd81efb68, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=172.16.0.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,inside) 192.14.14.0 172.16.0.0 netmask 255.255.255.0
match ip inside 172.16.0.0 255.255.255.0 inside any
static translation to 192.14.14.0
translate_hits = 0, untranslate_hits = 7
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd81efe50, priority=5, domain=host, deny=false
hits=7, user_data=0xd81efb68, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=172.16.0.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd8135a08, priority=0, domain=inspect-ip-options, deny=true
hits=52, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 21, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
ciscoasa(config)# packet-trace in inside tcp 172.16.1.100 43563 192.15.15.20 www det
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.15.15.0 255.255.255.0 outside_old
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group AG_INSIDE_IN in interface inside
access-list AG_INSIDE_IN extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81ee740, priority=12, domain=permit, deny=false
hits=7, user_data=0xd64d2b40, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8135a08, priority=0, domain=inspect-ip-options, deny=true
hits=52, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 172.16.0.0 255.255.252.0 outside_old 192.15.15.0 255.255.255.0
NAT exempt
translate_hits = 3, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81ea858, priority=6, domain=nat-exempt, deny=false
hits=3, user_data=0xd81ea798, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=172.16.0.0, mask=255.255.252.0, port=0
dst ip=192.15.15.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any outside_old any
dynamic translation to pool 10 (62.253.200.159 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81ec360, priority=1, domain=nat, deny=false
hits=3, user_data=0xd81ec2a0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 10 (172.16.0.10 [Interface PAT])
translate_hits = 4, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd81eb6a8, priority=1, domain=host, deny=false
hits=35, user_data=0xd81eb290, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd820c318, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x0, cs_id=0xd820be50, reverse, flags=0x0, protocol=0
src ip=172.16.0.0, mask=255.255.252.0, port=0
dst ip=192.15.15.0, mask=255.255.255.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside_old
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ciscoasa(config)# sh xlate
2 in use, 4 most used
Global 192.14.14.0 Local 172.16.0.0
Global 192.14.14.0 Local 172.16.0.0
|