Rservers initiated traffic not sourcing the traffic as VIP in Ace 4710

Similar Messages

• AIP-SSM, it is not sensing the traffic

  Hi everyone, i have a trouble, now iam using an ASA 5510 with AIP-SSM10, my problem is when I redirect the traffic to the AIP-SSM for detects attacks, i probe it and then I look in the events logs of the IPS, and the sensor dont detect nothing, is necessary to install an IPS license??, it is for my own project, thanks.

  Unless you are scanning across the ASA, the SSM module will not "see" the scan and cannot produce events. To alarm on an SSM module, you must scan from one network to another. Basically, the SSM cannot do promiscuous monitoring. I would recommend an IPS appliance if you want to monitor traffic sent between hosts of the same network.
  ** Pls rate if this helps **

• ACE not passing the traffic to the server.

  Hi Experts,
  Could you please help me on this issue:-
  The users are not able to access the palm application passing through the ACE module. The clients gets to the citrik server and from ther it goes to palm application. Now both external and internal users are not able to accpess the palm aapplication.
  Troubelshooting doen:-
  1) Connecting to the palm server by exluding the ACE it works.
  2) Servers are reachable from ACE module
  3) It was working fine before, but not now. There was no changes been made on ACE but still the issue.
  4) Checked the Palm context that seems to be okay. But still not able to get though.
  Any help would be great.
  Thanks
  Sum.

  Sniffer trace in front of ace and backend.
  Capture a failure.
  Before and after the connection failure also get the following command
  'show service-policy detail'
  See if you have connection hits.
  Gilles.

• All the traffic go through IPsec tunnel(site to site ) ,but something seems not working correctly

  Hi, all,
    I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site ,  I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
  Quote :
  Question ? :
  Mine is a very simple configuration.  I have 2 sites linked via an IPsec tunnel.  Dallas is my Main HQ R1 and Austin R2 is my remote office.  I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
  Dallas (Main) Lan Net is: 10.10.200.0/24
  Austin (Remote) LAN Net is: 10.20.2.0/24
  The Dallas (Main) site has a VPN config of:
  Local Net: 0.0.0.0/0
  Remote Net: 10.20.2.0/24
  The Austin (Remote) site has a VPN config of:
  10.20.2.0/24
  Remote Net: 0.0.0.0/0
  The tunnel gets established just fine.  From the Austin LAN clients, I can ping the router at the main site (10.10.200.1).  This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
  I'm sure it's something simple I failed to configure.  Anyone have any pointers or hints?
  Answer:
  Thanks to Jimp from the other thread, I was able to see why it was not working.  To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network.
  Once I made this change, Voila!  Traffic from the remote side started heading out to the Internet.  Now all traffic flows thru the Main site.  It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
  My question ?
  The answer said "To fix, I had to change the Outbound NAT on the main side to Manual.  Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0).  Basically, I just created a copy of the default rule and changed the Source network." what this mean and
  how to do it , could anybody give me the specific configuration ? thanks a lot.

  Thank you for Jouni's reply,  following is the configuration on Cisco 2800 router ,no firewall enable, :
  crypto isakmp policy 100
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
  crypto isakmp keepalive 60
  crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
  crypto dynamic-map IPsecdyn 100
  set transform-set IPsectrans
  match address 102
  crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
  interface Loopback1
  ip address 10.10.200.1 255.255.255.0
  interface FastEthernet0/0
  ip address 113.113.1.1 255.255.255.128
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map IPsecmap
  interface FastEthernet0/1
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip route 0.0.0.0 0.0.0.0 113.113.1.2
  ip http server
  no ip http secure-server
  ip nat inside source list 100 interface FastEthernet0/0 overload
  access-list 100 permit ip 192.168.1.0 0.0.0.255 any
  access-list 102 permit ip any 10.20.2.0 0.0.0.255

• Not working traffic inside of the same interface

  Hi Guys.
  I need your help to configure a Cisco ASA 5510.
  Connencted the a single interface I have a switch. To this switch (same VLAN) there are connected:
  1. The Subnet of the main office (192.168.1.253)
  2. A router  (IP 192.168.1.254) that routes the traffic to a remote location (Subnet 192.168.8.0/24)
  I have so allowed any traffic incoming to the inside interface as follows:
  access-list inside_access_in extended permit ip any any
  and I have permitted traffic intra interface as follows:
  same-security-traffic permit intra-interface
  Then I created a static route:
  route inside 192.168.8.0 255.255.255.0 EXTERNAL_ROUTER 1
  Now I can successfully ping the destination:
  Pinging 192.168.8.10 with 32 bytes of data:
  Reply from 192.168.8.10: bytes=32 time=135ms TTL=123
  Reply from 192.168.8.10: bytes=32 time=146ms TTL=123
  Reply from 192.168.8.10: bytes=32 time=143ms TTL=123
  Reply from 192.168.8.10: bytes=32 time=188ms TTL=123
  Unfortunately I cannot RDP into that server. When I simulate the connection via Packet tracer, it tells me that the implicit deny on the bottom of the conncections from "inside" (firewall) does not allow the connection.
  It sounds to me like that "same-security-traffic permit intra-interface" does work only if there are 2 interfaces and not a single one.
  Unfortunately I cannot just unplug the cable and connect it into another port as the ip is on the same subnet and I cannot configure the other end router.
  Please help :-(
  Thanks,
  Dario Vanin

  Ahh OK, telco router.
  You can quickly test if it's working by configuring the PC with static routes for 192.168.8.0/24 pointing towards the router (192.168.1.254).
  Here is sample configuration on TCP State Bypass:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml
  access-list tcp-bypass-acl permit tcp 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
  access-list tcp-bypass-acl permit tcp 192.168.8.0 255.255.255.0 192.168.1.0 255.255.255.0
  class-map tcp-bypass-cm
     match access-list tcp-bypass-acl
  policy-map tcp-bypass-policy
     class tcp-bypass-cm
         set connection advanced-options tcp-state-bypass
  service-policy tcp-bypass-policy inside

• MacBook Pro does not start. "traffic sign" on the screen

  Hi,
  After unistalling Norton AntiVirus as it had expired i shut down my machine. Now when starting it the grey apple is on the screen and below it the little thing that "goes around". After a while the grey apple changes into the "traffic sign" (a circle with a diagonal line going from 10 o'clock to 5 o'clock within the circle) underneath the little thing goes around for ever.
  Can somebody please explain what's going on
  thanks, pyry

  Well, well well! So close and yet so far away. I give full credit to Graham. Without him I would be nowhere in this case, And I got it working with the help of his advice. Here's what i did
  1. zap the PRAM - no startup effect
  2. Start with option key down - no effect
  3. start with shift key down - yes, it started as "safe boot". No internet connections etc but anyways.
  4. Followed Grahams disk utility advice, everything settled except for something with ARDAgent (should not affect this I would think)
  5. system preferences defined correct startup disc. Locked the setting, gave restart command via system settings button
  6. machine restarted beautifully - gave full credit to Graham
  but...
  after closedown tried to restart machine again and "traffic sign" appeared. I can now start my machine via the shift button and then restart it via the systems preferences startup disc restart button. I do not however understand what is going on. I try to lock the startup disk via the system preferences but each time after startup when I go in there to check I see the lock sign as open.
  Can someone please advice...

• Can I monitor JMS traffic (not the contents) for MDBs?

  WL 9.2.2 on AIX 5.3.
  I have an EAR deployed to our domains that a third-party vendor developed. It has MDBs that are configured to be persistent. Messages appearing on the queue are read quickly and sent elsewhere. I thought that I should be able to go to the Monitoring page of the JMS queue and see some information about traffic, even though I can't see the actual messages. When I go to the Monitoring tab for the queue, the list is always empty, even though I'm pretty sure messages are being processed through the queue.
  An engineer from the vendor said that "So all the messages that were sent and acknowledged are never persisted in the filestore and hence you cannot view those messages from the weblogic console". I certainly believe him that I wouldn't be able to view the contents of messages after they are removed from the store, but I would assume that the traffic history is still kept.
  Am I misunderstanding what I should be able to see here?

  You can see certain attributes something like "Messages High" and "Consumers Current", "Consumers High", but no copies of messages would be kept. If consumers are active and always reading off messages as they come in, then "Messages High" will likely not even increment. If you want to see the messages you could pause consumption of the queue, which should not block production of messages. Then you should be able to see messages start "queueing up" until you unpause comsumption.

• My iphone 5 and Ipad 2 both running official ios7 do not have the option of frequent locations and traffic

  My iphone 5 and IPad 2 both running official software ios 7 do not appear the function of frequent locations and traffic in the devices.
  Why is this happening?

  Not all features are available in all countries. Read here:
  http://www.apple.com/ios/feature-availability/

• ASA not redirecting WCCP traffic (traffic from one particular source address)

  Friends,
    I have a redirect list allowing three traffic and denying one.
        On ASA: access-list wccp-traffic permit ip 10.100.x.x 255.255.255.0 any
                         access-list wccp-traffic permit ip 10.1.x.x 255.255.255.0 any
                         access-list wccp-traffic deny ip 10.2.x.x 255.255.255.0 any
    One traffic among the three allowed doesn't return any hits on the access-list.
                        10.100.x.x is not getting any hits.
                but  10.1.x.x is getting hits
    ASA is configured to redirect the traffic to the Blue Coat cache engine.
                 on the ASA if I checked I could see 10.100.x.x is hitting the ASA but not the access-list
   Any thoughts??

  Check if this traffic is in bypass list on wsa. Because if bypass list is configured in transparent mode then bypass list is first checked before redirecting it to wccp client.

• How do I set up my traffic conditions in the notification center, as it is not showing up?, How do I set up my traffic conditions in the notification center, as it is not showing up?

  I have just downloaded iOS7 and would like the traffic conditions in the notification center, however there is no option for me to turn this on in notification center settings, can you help me with this please?

  Did you install any iOS 7 beta?

• FF4 does not load my MSN home page properly. How can I get it to load the traffic report and format the links?

  Mac OSx

  Computer died need code can you please post a screen shot of the error message.  The current released version is 1.8.0.447.  The release notes for the Creative Cloud Desktop application can be found at Creative Cloud Help | Creative Cloud app for desktop | Release Notes.

• ASR1K 5xE1 MFR Frame relay traffic not forwarding in one direction

   Dear Techies, 
   Hope all is well !
  Im doing this inter-op testing with Alcatel device for frame-relay and MFRs and got stuck at this situation which is actually mind boggling and I think i might be missing something "silly" :-(
  Its a simple setup of
  1. My ASR 1002-X with a LAN (Gig0/0/0) port is connected to a traffic generator.(ixia).
  2. ASR WAN port is a 5xE1 bundled into a MFR circuit.
  3. WAN link goes to a Alcatel box giving me my FR-DCE with E1s over MFR.
  Issue is , I can send traffic to max throughput with  flow initiated from  LAN to WAN bit NOT the reverse flow initiated  from WAN side to LAN port. I see traffic coming into my 5xE1s (1.8 mbps each) but the traffic just wont go to the LAN side , somewhere it gets "stuck" or "dropped".
  PING works fine from both sides.......but sending traffic is not possible !!
  ASR CONFIG
  controller SONET 0/3/0
   framing sdh
   clock source line
   aug mapping au-4
   au-4 1 tug-3 1
    mode c-12
    tug-2 1 e1 1 unframed
    tug-2 1 e1 2 unframed
    tug-2 1 e1 3 unframed
    tug-2 2 e1 1 unframed
    tug-2 2 e1 2 unframed
    tug-2 2 e1 3 unframed
   au-4 1 tug-3 2
    mode c-12
    tug-2 1 e1 1 unframed
    tug-2 1 e1 2 unframed
    tug-2 1 e1 3 unframed
   au-4 1 tug-3 3
    mode c-12
  interface MFR1
   no ip address
   encapsulation frame-relay IETF
   load-interval 30
   frame-relay multilink bid 10MB-PiPe
   frame-relay multilink bandwidth-class a
   frame-relay lmi-type ansi
  interface MFR1.1 point-to-point
   ip address 10.10.17.2 255.255.255.0
   frame-relay interface-dlci 100   
  interface GigabitEthernet0/0/0
   no ip address
   load-interval 30
   negotiation auto
  interface GigabitEthernet0/0/0.110
   encapsulation dot1Q 110
   ip address 11.11.11.1 255.255.255.0
  interface Serial0/3/0.1/1/1/1:0
   no ip address
   encapsulation frame-relay MFR1
   frame-relay multilink lid First-Link
  interface Serial0/3/0.1/1/1/2:0
   no ip address
   encapsulation frame-relay MFR1
   frame-relay multilink lid Second-Link
  interface Serial0/3/0.1/1/1/3:0
   no ip address
   encapsulation frame-relay MFR1
   frame-relay multilink lid Third-Link
  interface Serial0/3/0.1/1/2/1:0
   no ip address
   encapsulation frame-relay MFR1
   frame-relay multilink lid Fourth-Link
  interface Serial0/3/0.1/1/2/2:0
   no ip address
   encapsulation frame-relay MFR1
   frame-relay multilink lid Fifth-Link
  SDH_FR#sh frame-relay mul
  SDH_FR#sh frame-relay multilink 
  Bundle: MFR1, State = up, class = A, fragmentation disabled
   BID = 10MB-PiPe
   Bundle links:
    Serial0/3/0.1/1/1/1:0, HW state = up, link state = Up, LID = First-Link
    Serial0/3/0.1/1/2/2:0, HW state = up, link state = Up, LID = Fifth-Link
    Serial0/3/0.1/1/2/1:0, HW state = up, link state = Up, LID = Fourth-Link
    Serial0/3/0.1/1/1/3:0, HW state = up, link state = Up, LID = Third-Link
    Serial0/3/0.1/1/1/2:0, HW state = up, link state = Up, LID = Second-Link
  SDH_FR#
  SDH_FR#
  SDH_FR#
  SDH_FR#sh fram
  SDH_FR#sh frame-relay pvc 100
  PVC Statistics for interface MFR1 (Frame Relay DTE)
  DLCI = 100, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = MFR1.1
    input pkts 8045          output pkts 8044         in bytes 515748    
    out bytes 527920         dropped pkts 0           in pkts dropped 0         
    out pkts dropped 0                out bytes dropped 0         
    in FECN pkts 0           in BECN pkts 0           out FECN pkts 0         
    out BECN pkts 0          in DE pkts 0             out DE pkts 0         
    out bcast pkts 0         out bcast bytes 0         
    5 minute input rate 1000 bits/sec, 2 packets/sec
    5 minute output rate 1000 bits/sec, 2 packets/sec
    pvc create time 01:07:58, last time pvc status changed 01:07:58
    fragment type end-to-end fragment size 1400
  SDH_FR#
  SDH_FR#
  SDH_FR#
  SDH_FR#
  SDH_FR#
  SDH_FR#
  SDH_FR#ping 10.10.17.1-------------------------------------------------------------------------- THIS IS ALCATEL SIDE FROM TRAFFIC HAS TO COME.
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.10.17.1, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms
  SDH_FR#
  SDH_FR#
  SDH_FR#sh frame-relay traffic
  Frame Relay statistics:
          ARP requests sent 0, ARP replies sent 0
          ARP request recvd 0, ARP replies recvd 0
  SDH_FR#

  What is the access rate of the head end?
  Are you using a codec other than G711?
  How many total sites are involved, what protocols are you running?
  From the math, 32K is not enough CIR to ensure 4 calls proper Bandwidth. At what point is the voice degrading, is is choppy missing message, sound, jitter, echo or after 1, 2 or 3 calls.
  Even if you are using G729a, voice packets could be dropped. Not to say that it is here, but look at the FRS stats to see ip packets are being dropped.
  Traffic shaping is always recommended, rtp header compression will help, but the trade-off is around a 20% CPU hit.
  If you implement traffic shapping , it needs to be done throughout the network as queueing delays related to data on other slow links and at the headend (specifically here) could be the cause of the distortion alone. I would at least try traffic shapping first, then if the problem doen't go away, increase CIR for Voice, if there are still issues, implement LLQ.

• 2 WAE WCCP l2 only 1 gets the traffic

  Hi,
  I have 1 WAN Router and 2 WAVE devices configured in WCCP. The configuration works fine except that only the first WAVE that sees the router and established the WCCP receives the traffic. What I mean is that both WAVEs see the router and vice versa. When I establish the WCCP connection, the first WAVE to establish it becomes LEAD WAE and the other one does not get packets. If I disconnect the lead WAE or change its WCCP config and put it back, WCCP switches over to the other WAE and the other one is now exclusevly receiving the traffic. No load balancing is acheived.
  First here's my setup:
  1 WAN Router Cisco ISR G2 2911 IOS 15.2(1)T
  2 Cisco WAVE-274 WAAS version 4.3.3 configured identically for WCCP.
  Router IP: 10.x.y.1/22
  WAVE IPs: 10.x.y.9 and 10.x.y.7 /22 and default gateway is the router 10.x.y.1
  Users are on the same network 10.x.y.0/22 (is this a problem? i read in some WAAS config guide that the WAE cannot be in the same network as users)
  Second here's the relevant config:
  Router:
  ip cef
  ip wccp 61
  ip wccp 62
  interface GigabitEthernet0/0
  description *** LAN Connection ***
  ip wccp 61 redirect in
  ip addr 10.x.y.1 255.255.252.0
  interface GigabitEthernet0/1
  description *** WAN Connection ***
  ip wccp 62 redirect in
  ip addr WAN_IP...
  WAAS:
  primary-interface GigabitEthernet 1/0
  interface GigabitEthernet 1/0
  ip address 10.x.y.9 255.255.252.0 (and .7 for the second WAVE)
  interface InlineGroup 1/1
  shutdown
  wccp router-list 1 10.x.y.1
  wccp tcp-promiscuous router-list-num 1 l2-redirect l2-return
  wccp version 2
  When I do the following on the router:
  show ip wccp 61 detail
  or show ip wccp 62 detail
  I see:
  WCCP Client information:
          WCCP Client ID:          10.x.y.7
          Protocol Version:        2.0
          State:                   Usable
          Redirection:             L2
          Packet Return:           L2
          Assignment:              HASH
          Initial Hash Info:       00000000000000000000000000000000
                                   FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
          Assigned Hash Info:      FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                                   00000000000000000000000000000000
          Hash Allotment:          128 (50.00%)
          Packets s/w Redirected:  103912
          Connect Time:            03:34:05
          GRE Bypassed Packets
            Process:               0
            CEF:                   0
            Errors:                0
          WCCP Client ID:          10.x.y.9
          Protocol Version:        2.0
          State:                   Usable
          Redirection:             L2
          Packet Return:           L2
          Assignment:              HASH
          Initial Hash Info:       FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                                   00000000000000000000000000000000
          Assigned Hash Info:      00000000000000000000000000000000
                                   FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
          Hash Allotment:          128 (50.00%)
          Packets s/w Redirected:  0
          Connect Time:            01:46:24
          GRE Bypassed Packets
            Process:               0
            CEF:                   0
            Errors:                0
  On the WAAS, the WCCP Assignment Settings for Load Balancing is the default: Hash. (Hash on Source IP (Service 61):)
  the Egress Method is IP forwarding
  I have several connections from different source IP addresses and somehow they all end up hashed on the same WAE:
  ConnID        Source IP:Port          Dest IP:Port            PeerID          Accel     RR
     360          10.x.y.3:49463   10.q.w.36:52732      xx:xx:xx:xx:xx:xx TMDL  16.1%
     373          10.x.y.4:55005   10.q.w.36:52732      xx:xx:xx:xx:xx:xx TMDL  24.8%
  I checked in several places and read the best practices; the router platform support... and it seems that the config is OK
  http://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps6870/white_paper_c11-608042.html
  Any ideas?
  Thanks,
  Patrick

  Although it is recommended to use HASH for 2900 series routers, I just switched to MASK method for load balancing on both WAVE devices. This is supported according to Cisco doc. It seems that connections are now being accelerated by both WAVEs.
  The behaviour is a bit weird though, connections are first being sent to one WAE then they show up as passthrough on it for a quick second and after that they get treated by the second wave!
  I also see this behaviour when looking at the counters on the router, the counters went up to 274 packets on one router and are no longer changing although new connections are being treated, while the other router has a lot more packets:
  ROUTER#show ip wccp 61 detail
  WCCP Client information:
          WCCP Client ID:          10.x.y.7
          Protocol Version:        2.0
          State:                   Usable
          Redirection:             L2
          Packet Return:           L2
          Packets Redirected:      274
          Connect Time:            01:49:58
          Assignment:              MASK
          Mask  SrcAddr    DstAddr    SrcPort DstPort
          0000: 0x00000F00 0x00000000 0x0000  0x0000
          Value SrcAddr    DstAddr    SrcPort DstPort CE-IP
          0008: 0x00000800 0x00000000 0x0000  0x0000
          0009: 0x00000900 0x00000000 0x0000  0x0000
          0010: 0x00000A00 0x00000000 0x0000  0x0000 
          0011: 0x00000B00 0x00000000 0x0000  0x0000 
          0012: 0x00000C00 0x00000000 0x0000  0x0000 
          0013: 0x00000D00 0x00000000 0x0000  0x0000 
          0014: 0x00000E00 0x00000000 0x0000  0x0000
          0015: 0x00000F00 0x00000000 0x0000  0x0000
          WCCP Client ID:          10.x.y.9
          Protocol Version:        2.0
          State:                   Usable
          Redirection:             L2
          Packet Return:           L2
          Packets Redirected:      100788
          Connect Time:            01:49:56
          Assignment:              MASK
          Mask  SrcAddr    DstAddr    SrcPort DstPort
          0000: 0x00000F00 0x00000000 0x0000  0x0000
          Value SrcAddr    DstAddr    SrcPort DstPort CE-IP
          0000: 0x00000000 0x00000000 0x0000  0x0000 
          0001: 0x00000100 0x00000000 0x0000  0x0000 
          0002: 0x00000200 0x00000000 0x0000  0x0000 
          0003: 0x00000300 0x00000000 0x0000  0x0000 
          0004: 0x00000400 0x00000000 0x0000  0x0000
          0005: 0x00000500 0x00000000 0x0000  0x0000 
          0006: 0x00000600 0x00000000 0x0000  0x0000 
          0007: 0x00000700 0x00000000 0x0000  0x0000 
  Any ideas?
  Maybe I should've just clustered the WAVEs inline...

• ACLs never apply to traffic generated by the router

  http://www.ciscopress.com/articles/article.asp?p=174313&seqNum=4&rl=1
  "Another special note on Cisco ACLs is that ACLs never apply to traffic generated by the router. So, even if you have an inbound and an outbound ACL on a router denying all traffic, the router will still be able to send any packet it wants; the return packet, however, will be blocked as usual".
  Is it (the return packet, however, will be blocked as usual) the case all the time ? if it is the case could you please explain ?

  Thanks Rick,,,I need some clarification about the below scenario please:
  suppose I have got R1 (one of many routers) with two interfaces serial0/0 and e0/0,,,the ip address for serial0/0 192.168.0.1/24
  the ip address for e0/0 172.16.0.1/16.
  R1(config)=access-list 101 deny ip any any
  R1(config)#interafec serial 0/0
  R1(config-if)#ip access-group out
  R1(config)=access-list 150 deny ip any any
  R1(config)#interafec fastethernet 0/0
  R1(config-if)#ip access-group in
  Now we satisfied the condition which it says: "where there is an outbound ACL and an inbound ACL and they both deny all traffic".
  1- ((The inbound ACL will deny all traffic)).
  This is obvious because any packet trys to enter the router R1, the ACL will check both ip addresses for the source (any) and destination (can be one of the interfaces belong to R1),,,,because it match the condition for ACL, it will be dropped.
  2- ((In this case the outbound ACL can deny transit traffic, but can not deny packets generated by the router which will be transmitted)).
  This first paragraph (In this case the outbound ACL can deny transit traffic) is fine,,,the second one which is : " but can not deny packets generated by the router which will be transmitted",,,,,,,my understanding is this when packets generated by router R1, these packets have got source ip address and destination ip address.
  The source and destination ip addresses still matching the condition of ACL , why should't it be
  denied ?

• Traffic not returning to remote VPN connections

  I've successfully setup remote VPN connections to my ASA using vpnc as the client and everything behaves as expected. I'm trying to test the official Cisco client and I'm unable to make the same SSH connections across the VPN as I was using vpnc.
  The ASA shows connections the IKE and IPSec connections forming, and shows connections being built for the SSH traffic across the VPN.
  tcpdump shows the host listening on SSH behind the ASA receiving the traffic and sending ACKs in reply. They don't appear to be arriving back
  at the remote client though, and SSH connections timeout without connecting.
  Any idea what might be stopping the return traffic? I thought it might be some policy the ASA is pushing out to the Cisco client but not to vpnc but I can't spot anything obvious.

  Is the internal SSH host you are connecting to sending ACKS (as you've stated), or SYN/ACKs?
  It might be nice to know if the TCP three way handshake is being completed, and subsequent packets are the issue, or if it's the initial TCP setup that is the issue.
  Perhaps there would be some benefit in confirming whether these packets are making it through the IPSec tunnel, though the ASA un-encapsulated, or not through the ASA at all.
  You could use Wireshark to look for un-encapsulated packets exiting the ASA.
  You could use Wireshark to capture the "pre-encapsulated" traffic being sent to the far side, and the "post-decapsulation" traffic returning from the far side, by capturing on the Cisco VPN Client virtual interface (Windows installation).
  Perhaps examine IPSec SA details on the ASA and look for errors.
  Perhaps logging on the internal interface ACL (log any packets denied) to identify whether the returning packets are being dropped.