RE: Security Issue

  check the FW log .. Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 874, using existing flow
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_statModule information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_statResult:
input-interface: Inside
input-status: up
input-line-status: up
Action: allow

 Date: Sun, 13 May 2012 08:48:09 +0100
Subject: Re: Security Issue
From: fbaena_at_ccie.co
To: i_sameer_at_hotmail.com
CC: ccielab_at_groupstudy.com

Hi Sameer,
A couple of things worth checking.
1) Ensure the routers are trying to use ESP and not GRE. Check the firewall
logs "show logging". Sometimes while configuring DMVPN we may think all is
good for ESP and then a misconfiguration could cause the router to try to
revert back to GRE.

2) Run some "dry" tests with packet-tracer.
It was not mention in the original email if NAT was in place, can you confirm
that is not the case?

Cheers, Francisco BaenaCCIE 25595 (R&S, SP)Senior Instructor - www.ccie.co

On Sun, May 13, 2012 at 6:54 AM, sameer inam <i_sameer_at_hotmail.com> wrote:

team, I need one Small Help , change toplogy , I put ASA FW 5510 on top

and Cisco Router 1941 /K9 behind that and tryng to Join Cisco Router to
DMVPN

cloud but Some reason ASA not passing that Traffic even though I opened port

4500 , esp , 5000 but Still the same.. if any of you giude me ,,, Thankyou
in

advance Sameer

Blogs and organic groups at http://www.ccie.net
Received on Sun May 13 2012 - 08:08:15 ART