I add a new network object to the DMZ so users can connect to the service from VPN it's being blocked over VPN.
But on the LAN I can access the host from any network.
I have a packet-tracer below I'm not sure what I have conf wrong.
Thanks!
wpnetfw02# packet-tracer input vlan6 tcp 10.251.250.1 22 10.200.6.15 22 detailed Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x2aaada9538a0, priority=1, domain=permit, deny=false hits=22087, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=Vlan6, output_ifc=any Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.200.6.15 using egress ifc Vlan6 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group DMZ_access_in in interface Vlan6 access-list DMZ_access_in extended permit ip object-group VPNCorpPool object net-dmz object-group network VPNCorpPool network-object 10.251.250.0 255.255.255.0 network-object 10.251.252.0 255.255.255.0 Additional Information: Forward Flow based lookup yields rule: in id=0x2aaadb36cc60, priority=13, domain=permit, deny=false hits=0, user_data=0x2aaace355200, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=10.251.250.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.200.6.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=Vlan6, output_ifc=any Phase: 4 Type: NAT Subtype: Result: ALLOW Config: nat (Vlan6,any) source static net-dmz net-dmz destination static Natexception Natexception no-proxy-arp route-lookup Additional Information: Static translate 10.251.250.1/22 to 10.251.250.1/22 Forward Flow based lookup yields rule: in id=0x2aaadb27bac0, priority=6, domain=nat, deny=false hits=0, user_data=0x2aaadb272370, cs_id=0x0, flags=0x0, protocol=0 src ip/id=10.251.250.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.200.6.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=Vlan6 Phase: 5 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaada919240, priority=1, domain=nat-per-session, deny=false hits=26065, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaada95c8a0, priority=0, domain=inspect-ip-options, deny=true hits=4411, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Vlan6, output_ifc=any Phase: 7 Type: FOVER Subtype: standby-update Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaadaf038e0, priority=20, domain=lu, deny=false hits=1749, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Vlan6, output_ifc=any Phase: 8 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (Vlan6,any) source static net-dmz net-dmz destination static Natexception Natexception no-proxy-arp route-lookup Additional Information: Forward Flow based lookup yields rule: out id=0x2aaadb27bea0, priority=6, domain=nat-reverse, deny=false hits=1, user_data=0x2aaadb272260, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=10.251.250.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.200.6.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=Vlan6 Phase: 9 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x2aaada919240, priority=1, domain=nat-per-session, deny=false hits=26067, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any Phase: 10 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x2aaada95c8a0, priority=0, domain=inspect-ip-options, deny=true hits=4413, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=Vlan6, output_ifc=any Phase: 11 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 35592, packet dispatched to next module Module information for forward flow ... snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_fp_tracer_drop snp_ifc_stat Module information for reverse flow ... snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_fp_tracer_drop snp_ifc_stat Phase: 12 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 10.200.6.15 using egress ifc Vlan6 Phase: 13 Type: ADJACENCY-LOOKUP Subtype: next-hop and adjacency Result: ALLOW Config: Additional Information: adjacency Active next-hop mac address 000c.294f.df54 hits 1 reference 2 Result: input-interface: Vlan6 input-status: up input-line-status: up output-interface: Vlan6 output-status: up output-line-status: up
No comments:
Post a Comment