Cisco IPSec VPN Client and sending a specific Radius A-V value to ACS 5.2

Similar Messages

• Inbuilt cisco IPSEC vpn client and KeyLife Timeout setting...

  Hi Guys
  I am having issues with the in built cisco vpn client on the mac, I am currrently using Mac OSx 10.7.4
  I have a Fortigate 200B device and have setup the IPSec VPN settings to have a keylife of 86400 seconds.
  However the expereince I am having with the mac clients is that after about 50 minutes the users are being asked to re-authencate to the VPN...
  When checkin the debug logs I can see that the peer (mac client) is setting the phase 2 tunnel key lifetime to 3600 seconds which is 1 Hour...
  Usually in IPSec a re-negeotiation process takes place about 10 minutes or so before the key expires..
  My question is where are the VPN settings kept in the Mac... I know it uses Racoon for the IPSec exchange of key and so I would like to tweak the VPN profiles so that the mac sets the lifetime of the key to 86400 instead of 3600 by default...
  Also want to be able to set logging to debug mode for the Racoon application on mac clients.
  Your help is much appreciated
  Kind Regards
  Mohamed

  Hi Tony,
  to the best of my knowledge this is currently not possible, but will be once this enhancement is implemented:
  CSCsw31922    Radius upstream VSAs (Tunnel Group,Client type) for VPN policy decisions
  You may want to try and ask in the AAA forum if there is anything you can do on ACS...
  hth
  Herbert

• Configurate cisco ipsec vpn client at asa 5505 version 8.4

  Hi dear. I want to configurate cisco ipsec vpn client at asa 5505. At my asa the software version is 8.4.
  please provide me a link or some material to config ipsec vpn client at asa 5505 version 8.4
  thank you.

  are you looking for vpn client .pcf file or the configuration on ASA (ASDM) ?
  what version of vpn client ?

• Cisco AnyConnect VPN client and 256 AES encryption in IE8

  Hey,
  We have a site that we are trying to connect to with the AnyConnect VPN client version 2.5.3055 on Windows XP SP3. As soon as we enter the site info and hit select, it says a connection was unable to be established.
  I believe this has to do with the encryption, its set up with 256 bit AES. We are only able to install IE8, which on XP only supports up to 128 bit encryption, so in IE8 the page will not load. To fix that issue we installed firefox which supports 256 bit encryption. We can get to the page there, but when we go to connect to the same site VIA the VPN client it still will not connect. It will work fine on a windows 7 box with IE9 installed from the same network.
  My question mainly pertains to how the AnyConnect client connects on the back end. Does it use Internet explorer's SSL layer by default? Or does it have its own? If it connects through internet explorer, is there a way to change it to firefox so it will actually be able to open up a connection?
  Thank you for your answers in advance,
  John

  Hey Jeff,
  Thanks for answering that question. Hmm, so it doesnt go through the browsers SSL layer. We have systems on the same network (same proxy, firewall, vlan, etc). All the systems with windows XP SP3 and IE8/IE7 can not connect to the VPN (they arent even able to start the connection and ask for proxy/logon info.), all the systems with windows 7 and IE9 can. Same setups on each one as far as the security policies go as well. I thought it may have to do with the 256 bit encryption that they are using.
  If thats not the case, what else could be causing the problem? weve tested it on about 5 XP machines and 5 Win 7 machines, same results on each. Connects on Win 7, does not connect on Win XP.
  Thanks,
  John

• Cisco VPN Client and Border Manager

  Don't know if this is the correct spot, but here goes. We are using BM 3.8sp4 using proxy, and NAT. We have a contractor that needs to access his company network using a Cisco VPN Client Ver 5. They have Enable Transparent Tunneling checked in the client and IPSec over TCP port 1000.
  Is this a filter exception to let it out or something else I need to set up?

  Port 1000, or 10000? (10,000 is something I've seen in the past, and
  is what I used for the example in my BMgr filtering book. See URL
  below).
  You would probably need to open two ports up, in FILTCFG, from private
  to public interfaces. First, IKE-st (UDP 500). Next, make a custom
  stateful one for port 1000 (or whatever), probably UDP.
  The last Cisco IPSec VPN client I used through BMgr needed UDP 500 and
  UDP 4500 opened, just like the Novell IPSec VPN client. So I was able
  to use the definitions supplied by Novell in FILTCFG. In your case,
  you will probably have to add at least one custom exception.
  Filter debug will tell you what is being filtered, if you know how to
  use it. Or get PKTSCAN.NLM from download.novell.com, load it on the
  server, and capture packets. Look at them on the server, or use
  Wireshark, and you will see what protocol/ports are being sent from the
  client IP address.
  Craig Johnson
  Novell Support Connection SysOp
  *** For a current patch list, tips, handy files and books on
  BorderManager, go to http://www.craigjconsulting.com ***

• Mavericks VPN dropouts with native VPN client and Cisco IPSec

  Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
  I am connecting via a WIFI router to a remote VPN server
  The conenction is good for a while but eventually it drops out.
  I had Zero issues in mountain lion and only have issues since the update to 10.9
  I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
  My thoughts are:
  1 -issue with mavericks  ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
  2- Issue with  cisco router compaitibility or timing with Cisco IPSEC
  3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
  Any thousuggestions?

  Since update to Maverics I am experiencing VPN dropouts with native VPN client and Cisco IPSec
  I am connecting via a WIFI router to a remote VPN server
  The conenction is good for a while but eventually it drops out.
  I had Zero issues in mountain lion and only have issues since the update to 10.9
  I had similar issues in teh past with an unrelaibel wifi router but i am using a Verizon Fios router and it has worked impecably until mavericks
  My thoughts are:
  1 -issue with mavericks  ( maybe the app sleep funciton affecting eithe VPN or WIFI daemons)
  2- Issue with  cisco router compaitibility or timing with Cisco IPSEC
  3- Issue with WIFI itself on mavericks - some sort of WIFI software bug
  Any thousuggestions?

• Cisco ASA 5505, Cisco VPN Client and Novell Netware

  Hi,
  Our ISP have installed Cisco ASA 5505 firewall. We are trying to connect to our Novell 5.1 server using VPN client.
  I installed VPN client on a laptop that is using wireless connection. I connect using wireless signal from near by hotel and I am able to connect to my firewall usinging vpn client and also able to login in using Novell client for XP.
  When I use same vpn client and Novell client at home that is not using wireless connection, but DSL connection amd not able to login or find the tree.
  The only difference in two machine is laptop using wireless connection and my home machine is using wired connection using DSL.

  If your remote end of the services in question support IPsec IKEv1 as the VPN type then, yes - the 5505 can be a client for that service. At that point it looks like a regular LAN-LAN VPN which is documented in many Cisco and 3rd party how-to documents.

• Cisco Jabber Client for Windows 9.7 Can't Connect to Other IPSec VPN Clients Over Clustered ASAs

  Environment:
  2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
  Both ASAs are at version 8.4(5)6
  IPSec VPN Client version: 5.0.07.440 (64-bit)
  Jabber for Windows v9.7.0 build 18474
  Issue:
    If I am an IPSec VPN user…
     I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
     I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
  In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

  Portu,
  Thanks for your quick reply.
  Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above.  I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
  I can, though, do whatever you want on the Linux router.  Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
  As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this.  (But I might need a bit of handholding if I need to set up a  wireshark andor tcpdump.)
  Thanks again.

• Cisco Jabber Client for Windows 9.7 Can't Connect IPSec VPN Clients over two ASAs

  Environment:
  2 x ASA 5540s (at two different data centers) configured as a VPN Load Balancing Cluster
  Both ASAs are at version 8.4(5)6
  IPSec VPN Client version: 5.0.07.440 (64-bit)
  Jabber for Windows v9.7.0 build 18474
  Issue:
    If I am an IPSec VPN user…
     I can use Jabber to another IPSec VPN user that is connected to the same ASA appliance.
     I can’t use Jabber to another IPSec VPN user that is connected to the different ASA appliance that I am connected to.
  In the hub-and-spoke design, where the VPN ASA is a hub, and the VPN client is a spoke; if you have two hubs clustered together, how does one spoke communicate with another spoke on the other hub in the cluster? (How to allow hairpinning to the other ASA)

  Portu,
  Thanks for your quick reply.
  Unfortunately, I do not have access to the ASA logs nor would I be permitted to turn on the debug settings asked for above.  I might be able to get the logs but it will take awhile and I suspect they wouldn't be helpful as this ASA supports thousands of clients, therefore, separating out my connection attempts from other clients would be difficult.
  I can, though, do whatever you want on the Linux router.  Looking over the firewall logs at the time of this problem, I don't see anything that looks suspicious such as dropped packets destined for the Windows client.
  As I said in my original post, I'm not a networking expert - by any means - but I am willing to try anything to resolve this.  (But I might need a bit of handholding if I need to set up a  wireshark andor tcpdump.)
  Thanks again.

• Boot camp with Cisco VPN client and smart card

  Looking at a Macbook or Macbook Air and the only reason I need to run windows is to be able to access my work network through the Cisco VPN client and my Smartcard then use remote desktop. From my understanding if I run Bootcamp it should work am I correct? Im going to an Apple store tomorrow hopefully they can help too.
  Thanks

  mrbacklash wrote:
  Ok with that being said will the MBA 11.6 1.4ghz have the guts to make it run mostly internet based programs over the VPN connection?
  I think if you are running apps over the Internet the bottleneck will be the Internet and your VPN bandwidth. Your computer can certainly execute faster than Internet communications.
  Besides, Internet or remote applications run on the remote server. All your local computer does is local processing of the data if necessary.
  Message was edited by: BobTheFisherman

• Problem with Cisco VPN client and HP elitebook 2530p windows 7 64-bit

  Hi there
  I have a HP Elitebook 2530p which i upgraded to windows 7 64-bit. I installed the Cisco VPN client application (ver. 5.0.07.0290 and also 64-bit) and the HP connection manager to connect to the internet through a modem Qualcomm gobi 1000 (that is inside the laptop). When I connect to the VPN, it connects (I write the username and password) but there is no traffic inside de virtual adapter for my servers. When I connect to the internet through wire or wireless internet, I connect de VPN client and there is no problem to establish communication to my servers.
  I tried everything, also change the driver and an earlier version of the HP connection manager application. I also talked to HP and they told me that there was a report with this kind of problem and it was delivered to Cisco. I don’t know where is the problem.
  Could anyone help me?
  Thanks to all.

  You can try to update Deterministic Network Enhancer to the below listed release which supports
  WWAN Drivers.
  http://www.citrix.com/lang/English/lp/lp_1680845.asp.
  DNE now supports WWAN devices in Win7.  Before downloading the latest version of DNEUpdate from the links below,  be sure you have the latest
  drivers for your network adapters by downloading them from the vendors’ websites.
  For 64-bit: ftp://files.citrix.com/dneupdate64.msi
  Hope that helps.

• Apple built-in vpn client and dhcp hostnames

  We have a number of Mac clients in our office which uses MS for dhcp and dns.
  I've noticed that the mac clients when wired directly into the office network successfully get a dhcp lease and report their hostnames accurately to the dhcp server. However when these same clients connect to the office network via VPN (using the built-in vpn utility with Cisco IPSEC) they get a dhcp lease as expected, but do not register a hostname with the lease on the dhcp server. The lease is assigned to a blank hostname.
  I assume this is a pretty common issue. Has anyone found a way to configure the vpn client to send the hostname along with the connection, either via the client config or through some other method?
  Thanks.

  The VPN server is a Cisco 3030, however only the Mac clients have this issue. Windows and linux clients report their hostnames to dhcp properly even when VPN connected.

• Cisco/IPsec VPN built-in service of 10.6.1 does not work!

  Hello,
  I have been using for a while in Leopard (10.5) the Cisco VPN client delivered by Cisco company until I upgrade to Snow Leopard (10.6.1) which comes with a native built-in Cisco VPN client and I gave it a try in order to replace my dedicated Cisco app.
  I set up the Cisco VPN service in System Preferences > Network with the same settings than those used in the Cisco client but the connection fails when it is launched from the 10.6 network VPN service... while it works perfect when launched from the Cisco app itself.
  I need to activate a VPN connection in order to connect from home to my enterprise server and I have to respect the VPN settings the network administrator of my enterprise put in place.
  Those are very common:
  1. Host name
  2. Group name + Group password
  3. Domain name\Userid + User password
  4. RSA pass code (random code provided by a specific RSA keyfob)
  5. Transport is IPsec over UDP
  According to my testings, I would say that:
  1. The connection to the host is OK.
  2. The validation of the group name + group psw is OK.
  3. The validation of the userid + user psw is OK.
  4. The RSA pass code is rejected.
  According to my enterprise network engineer's investigations, the possible reasons of the connection failure could be:
  1. the UDP protocol is not (well) supported by the client service.
  2. and/or the extended authentification phase (aka "Xauth") is not working as it should.
  As far as I can see in other VPN clients, there is usually an option to select whether the transport is run over TCP or over UDP. Unfortunately, I have not been able to find such option in 10.6.
  In my opinion, it could be either a bug or an (undesired) limitation of the Apple VPN service. In both cases, it requires a quick fix from Apple as, for time being, this issue prevents me and many of us connecting to our enterprise servers when we are far from its local network.

  Thank you for your answers which confirm the limitation of the Apple VPN solution to the TCP transport only.
  I have to say that I do not understand such a decision from Apple since the UDP protocol is very common in the enterprise world.
  I will thus have to rely on the Cisco app itself. Is the version 4.9.01 (0080) the correct one for SL as well?
  Thank you!

• RV220W, VPN client, and Full Tunnel vs Split Tunnel capabilities

  For an RV220W, which VPN client mode (of the three possibilities) supports which Tunnel mode? 
  This is mostly a question, and partly "in use" observations.
  Background: I have been able to get all three different VPN clients to work with an RV220W, but only one of the three works in "Full Tunnel"  mode (SSL VPN). And since I know one of the three -- the Cisco QuickVPN client -- will never with in that mode, do we know if an RV220W will with an IPSec client in Full Tunnel Mode? 
  If anyone answers yes, the next question will be vpn client and how did you configure it, client and RV220W, to make full tunnel work.
  Summary of VPN modes I've gotten to work with an RV220W:
  Client
  Split Tunnel Works?
  Full Tunnel Works?
  OS?
  Notes
  SSL VPN
  Yes
  Yes
  Win7/64
  IE10 or IE11
  QuickVPN
  Yes
  No
  Win7/64
  IPSec VPN
  Yes
  No
  Win7/64
  Shrew Soft VPN Client

  I have to mark this as not a correct answer.
  Reason: 0.0.0.0 will not go into either of the fields listed above, message is "Invalid IP address Please enter a value between 1 - 223 at xxx.0.0.0.".
  To Michal Bruncko who posted this:
  1.) 0.0.0.0 will not work in my router nor in the RV220W online emulator here, (general emulator page here), am I missing something obvious?
  2.) Have you used these actual settings on your router, or did you answer in a theoretical, "this should work" way?

• IPSEC VPN clients can't reach internal nor external resources

  Hi!
  At the moment running ASA 8.3, with fairly much experience of ASA 8.0-8.2, I can't get the NAT right for the VPN clients.
  Im pretty sure it's not ACL's, although I might be wrong.
  The problem is both VPN users can reach internal resources, and vpn users cant reach external resources.
  # Issue 1.
  IPSEC VPN client cannot reach any local (inside) resources. All interfaces are pretty much allow any any, I suspect it has to do with NAT.
  When trying to access an external resource, the "translate_hits" below are changed:
  Auto NAT Policies (Section 2)
  1 (outside) to (outside) source dynamic vpn_nat interface
     translate_hits = 37, untranslate_hits = 11
  When trying to reach a local resource (10.0.0.0/24), the translate hits below are changed:
  5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
      translate_hits = 31, untranslate_hits = 32
  Most NAT, some sensitive data cut:
  Manual NAT Policies (Section 1)
  <snip>
  3 (inside) to (server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
      translate_hits = 0, untranslate_hits = 0
  4 (inside) to (server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
      translate_hits = 0, untranslate_hits = 0
  5 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
      translate_hits = 22, untranslate_hits = 23
  Auto NAT Policies (Section 2)
  1 (outside) to (outside) source dynamic vpn_nat interface
      translate_hits = 37, untranslate_hits = 6
  Manual NAT Policies (Section 3)
  1 (something_free) to (something_outside) source dynamic any interface
      translate_hits = 0, untranslate_hits = 0
  2 (something_something) to (something_outside) source dynamic any interface
      translate_hits = 0, untranslate_hits = 0
  3 (inside) to (outside) source dynamic any interface
      translate_hits = 5402387, untranslate_hits = 1519419
  ##  Issue 2, vpn user cannot access anything on internet
  asa# packet-tracer input outside tcp 172.16.32.1 12345 1.2.3.4 443
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  Relevant configuration snippet:
  interface Vlan2
  nameif outside
  security-level 0
  ip address 1.2.3.2 255.255.255.248
  interface Vlan3
  nameif inside
  security-level 100
  ip address 10.0.0.5 255.255.255.0
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network anywhere
  subnet 0.0.0.0 0.0.0.0
  object network something_free
  subnet 10.0.100.0 255.255.255.0
  object network something_member
  subnet 10.0.101.0 255.255.255.0
  object network obj-ipsecvpn
  subnet 172.16.31.0 255.255.255.0
  object network allvpnnet
  subnet 172.16.32.0 255.255.255.0
  object network OFFICE-NET
  subnet 10.0.0.0 255.255.255.0
  object network vpn_nat
  subnet 172.16.32.0 255.255.255.0
  object-group network the_office
  network-object 10.0.0.0 255.255.255.0
  access-list VPN-TO-OFFICE-NET standard permit 10.0.0.0 255.255.255.0
  ip local pool ipsecvpnpool 172.16.32.0-172.16.32.255 mask 255.255.255.0
  ip local pool vpnpool 172.16.31.1-172.16.31.255 mask 255.255.255.0
  nat (inside,server) source static NETWORK_OBJ_1.2.3.0_29 NETWORK_OBJ_1.2.3.0_29
  nat (inside,server) source static any any destination static NETWORK_OBJ_10.0.0.240_28 NETWORK_OBJ_10.0.0.240_28
  nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
  object network vpn_nat
  nat (outside,outside) dynamic interface
  nat (some_free,some_outside) after-auto source dynamic any interface
  nat (some_member,some_outside) after-auto source dynamic any interface
  nat (inside,outside) after-auto source dynamic any interface
  group-policy companyusers attributes
  dns-server value 8.8.8.8 8.8.4.4
  vpn-tunnel-protocol IPSec
  default-domain value company.net
  tunnel-group companyusers type remote-access
  tunnel-group companyusers general-attributes
  address-pool ipsecvpnpool
  default-group-policy companyusers
  tunnel-group companyusers ipsec-attributes
  pre-shared-key *****

  Hi,
  I don't seem to get a reply from 8.8.8.8 no, kind of hard to tell as it's an iphone. To me, all these logs simply says it works like a charm, but still I can get no reply on the phone.
  asa# ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=0 len=28
  ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
  ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=0 len=28
  ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
  ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=256 len=28
  ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
  ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=256 len=28
  ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
  ICMP echo request from outside:172.16.32.1 to outside:4.2.2.2 ID=6912 seq=512 len=28
  ICMP echo request translating outside:172.16.32.1/6912 to outside:x.x.37.149/46012
  ICMP echo reply from outside:4.2.2.2 to outside:x.x.37.149 ID=46012 seq=512 len=28
  ICMP echo reply untranslating outside:x.x.37.149/46012 to outside:172.16.32.1/6912
  asa# show capture capo
  12 packets captured
     1: 08:11:59.097590 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
     2: 08:11:59.127129 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
     3: 08:12:00.103876 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
     4: 08:12:00.133293 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
     5: 08:12:01.099253 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
     6: 08:12:01.127572 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
     7: 08:12:52.954464 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
     8: 08:12:52.983866 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
     9: 08:12:56.072811 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
    10: 08:12:56.101007 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
    11: 08:12:59.132897 802.1Q vlan#2 P0 x.x.37.149 > 4.2.2.2: icmp: echo request
    12: 08:12:59.160941 802.1Q vlan#2 P0 4.2.2.2 > x.x.37.149: icmp: echo reply
  asa# ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=0 len=28
  ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=0 len=28
  ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=256 len=28
  ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=256 len=28
  ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=512 len=28
  ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=512 len=28
  ICMP echo request from outside:172.16.32.1 to inside:10.0.0.72 ID=6912 seq=768 len=28
  ICMP echo reply from inside:10.0.0.72 to outside:172.16.32.1 ID=6912 seq=768 len=28
  asa# show capture capi
  8 packets captured
     1: 08:15:44.868653 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
     2: 08:15:44.966456 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
     3: 08:15:47.930066 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
     4: 08:15:48.040082 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
     5: 08:15:51.028654 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
     6: 08:15:51.110086 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
     7: 08:15:54.076534 802.1Q vlan#3 P0 172.16.32.1 > 10.0.0.72: icmp: echo request
     8: 08:15:54.231250 802.1Q vlan#3 P0 10.0.0.72 > 172.16.32.1: icmp: echo reply
  Packet-capture.
  Phase: 1
  Type: CAPTURE
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  MAC Access list
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
  MAC Access list
  Phase: 3
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   172.16.32.1     255.255.255.255 outside
  Phase: 4
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group inside_access_in in interface inside
  access-list inside_access_in extended permit ip any any log
  Additional Information:
  Phase: 5
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: INSPECT
  Subtype: np-inspect
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7     
  Type: DEBUG-ICMP
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 8
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (inside,outside) source static any any destination static NETWORK_OBJ_172.16.32.0_24 NETWORK_OBJ_172.16.32.0_24
  Additional Information:
  Static translate 10.0.0.72/0 to 10.0.0.72/0
  Phase: 9
  Type: HOST-LIMIT
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 10
  Type: VPN    
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 11
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outside_access_out out interface outside
  access-list outside_access_out extended permit ip any any log
  Additional Information:
  Phase: 12
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 5725528, packet dispatched to next module
  Result:
  input-interface: inside
  input-status: up
  input-line-status: up
  output-interface: outside
  output-status: up
  output-line-status: up
  Action: allow