topic Hi, in Network Security

NAT Reverse Path Failure ASA55-6

D Blum — Tue, 12 Mar 2019 07:26:03 GMT

I am showing significant drops in NAT reverse failure and trying to figure out where the issue is.

Show ASP Drop

Flow is denied by configured rule (acl-drop) 6676289

NAT reverse path failed (nat-rpf-failed) 1075090

Objects

object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Inside_Subnet
subnet 192.168.0.0 255.255.0.0
object network wls_sub
subnet 192.168.10.0 255.255.255.0
object network lan_sub
subnet 192.168.0.0 255.255.255.0
object network DMZ1
host 192.168.0.100
object network DMZ2
range 192.168.0.50
object network VPN
subnet 192.168.1.0 255.255.255.0
object network serv-1
host 192.168.0.100
object network serv-1-ext
host a.b.c.d
object network serv-1
host 192.168.0.50
object network serv-1-ext
host a.b.c.d
object network corp_inside
subnet 192.168.0.0 255.255.255.0
object-group network REMOTE_SUBNET
network-object 192.168.51.0 255.255.255.0
network-object 192.168.50.0 255.255.255.0

ACL

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list outside_cryptomap_2 extended permit ip 192.168.0.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.10.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list acl-inside extended permit ip any any
access-list acl-inside extended permit icmp any any
access-list outside_access_in extended permit tcp any host 192.168.0.100 eq smtp
access-list outside_access_in extended permit tcp any host 192.168.0.100 eq https
access-list outside_access_in extended permit tcp any host 192.168.0.100 eq www
access-list outside_access_in extended permit tcp any host 192.168.0.100 eq imap4
access-list outside_access_in extended permit tcp any host 192.168.0.100 eq 9833
access-list outside_access_in extended permit udp any host 192.168.0.100 eq 9833
access-list outside_access_in extended permit tcp any host 192.168.0.50 eq 3389
access-list outside_access_in extended permit udp any host 192.168.0.50 eq 3389
access-list Split-Tunnel standard permit 192.168.0.0 255.255.0.0
access-list internal_traffic extended permit ip 192.168.0.0 255.255.255.0 any
access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list NONAT extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list wifi_access_in extended permit ip interface wifi interface inside
access-list wifi_access_in extended permit ip interface inside interface wifi
access-list wifi_access_in extended permit ip 192.168.10.0 255.255.255.0 any
access-list wifi_access_in extended permit ip 192.168.100.0 255.255.255.0 any

NAT

nat (inside,outside) source static Inside_Subnet Inside_Subnet destination static REM_SUB REM_SUB no-proxy-arp route-lookup
nat (wifi,outside) source static wls_sub wls_sub destination static REM_SUB REM_SUB no-proxy-arp route-lookup
nat (wifi,inside) source static wls_sub wls_sub destination static lan_sub lan_sub no-proxy-arp route-lookup
nat (any,any) source static DMZ1 DMZ1 destination static VPN VPN
nat (any,any) source static DMZ2 DMZ2
nat (any,outside) source dynamic VPN interface description VPN Access to Internet
nat (inside,inside) source dynamic Inside_Subnet interface destination static serv-1-ext serv-1
nat (wifi,inside) source dynamic wls_sub interface destination static serv-1-ext serv-1
nat (outside,inside) source dynamic any interface destination static serv-1-ext serv-1
nat (any,any) source static nonat nonat destination static nonat nonat no-proxy-arp
nat (inside,wifi) source static lan_sub lan_sub destination static wls_sub wls_sub no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
object network serv-2
nat (inside,outside) static serv-2-ext
object network corp_inside
nat (outside,outside) dynamic interface
object network serv-1
nat (inside,outside) static serv-1-ext

Have you ever cleared these

Marius Gunnerud — Thu, 03 Mar 2016 05:40:05 GMT

Have you ever cleared these counters? issue the command "clear asp drop" and then monitor to see how fast this increments.

Could you post the actual log you are seeing please.

Please remember to select a correct answer and rate helpful posts

Hi D Blum,

Dinesh Moudgil — Thu, 03 Mar 2016 05:45:44 GMT

Hi D Blum,

Adding to what Marius said.
Would you be able to run a packet tracer for a specific source and destination IP and share the results.

I'd rather have these nat statments modifed to have the interfaces to make them more specific,

"nat (any,any) source static DMZ1 DMZ1 destination static VPN VPN
nat (any,any) source static DMZ2 DMZ2
nat (any,outside) source dynamic VPN interface description VPN Access to Internet
nat (any,any) source static nonat nonat destination static nonat nonat no-proxy-arp"

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

This is after 10 seconds:

D Blum — Thu, 03 Mar 2016 05:48:28 GMT

This is after 10 seconds:

Frame drop:
No route to host (no-route) 2
Flow is denied by configured rule (acl-drop) 198
First TCP packet not SYN (tcp-not-syn) 22
TCP RST/FIN out of order (tcp-rstfin-ooo) 1
Slowpath security checks failed (sp-security-failed) 109
FP L2 rule drop (l2_acl) 177

Last clearing: 00:46:42 EST Mar 3 2016 by enable_15

Flow drop:
NAT reverse path failed (nat-rpf-failed) 104

Last clearing: 00:46:42 EST Mar 3 2016 by enable_15

Could you post the actual log

Marius Gunnerud — Thu, 03 Mar 2016 05:52:19 GMT

Could you post the actual log messages that you are seeing please.

Please remember to select a correct answer and rate helpful posts

What packet tracers would you

D Blum — Thu, 03 Mar 2016 06:21:19 GMT

What packet tracers would you recommend?

In what way would you make the nat statements for specific?

Thank you

I apologize when you say

D Blum — Thu, 03 Mar 2016 06:52:19 GMT

I apologize when you say actual log what are you referring too? The response above is the complete response from "show asp drop"

Here is current:

asa5506# show asp drop

Frame drop:
IPSEC tunnel is down (ipsec-tun-down) 1
No route to host (no-route) 206
Flow is denied by configured rule (acl-drop) 10662
First TCP packet not SYN (tcp-not-syn) 181
TCP RST/FIN out of order (tcp-rstfin-ooo) 18
TCP RST/SYN in window (tcp-rst-syn-in-win) 3
TCP packet failed PAWS test (tcp-paws-fail) 1
Slowpath security checks failed (sp-security-failed) 6529
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 2
DNS Inspect id not matched (inspect-dns-id-not-matched) 22
FP L2 rule drop (l2_acl) 8438

Last clearing: 00:46:42 EST Mar 3 2016 by enable_15

Flow drop:
NAT reverse path failed (nat-rpf-failed) 5232
Inspection failure (inspect-fail) 10

Last clearing: 00:46:42 EST Mar 3 2016 by enable_15

When I refer to log I mean

Marius Gunnerud — Fri, 04 Mar 2016 23:28:21 GMT

When I refer to log I mean the drops you would see in show log output. Are you experiencing any issues with connectivity in your network? or are you just seeing these ASP drops?

Please remember to select a correct answer and rate helpful posts

Hi,

Akshay Rastogi — Sun, 06 Mar 2016 10:30:53 GMT

Hi,

First of all, please make below changes if possible. Manual NAT always takes preference over Object NAT and they are always processed from TOP to Bottom. It doesn't process them on the basis of Dynamic or Static. It process as whichever comes first so also try to make Object NATs when you are not using 'destination' keyword or in other words, when you are not performing destination nat.

Also when you are using identity nat, then always use no-proxy-arp route-lookup

So..

nat (any,any) source static DMZ1 DMZ1 destination static VPN VPN no-proxy-arp route-lookup
nat (any,any) source static DMZ2 DMZ2 no-proxy-arp route-lookup

nat (any,outside) source dynamic VPN interface description VPN Access to Internet
nat (inside,inside) source dynamic Inside_Subnet interface destination static serv-1-ext serv-1
nat (wifi,inside) source dynamic wls_sub interface destination static serv-1-ext serv-1
nat (outside,inside) source dynamic any interface destination static serv-1-ext serv-1
nat (any,any) source static nonat nonat destination static nonat nonat no-proxy-arp no-proxy-arp route-lookup

Hope it would help.

Regards,

Akshay Rastogi

Remember to rate helpful hosts.

We are showing issues within

D Blum — Sun, 06 Mar 2016 17:04:16 GMT

We are showing issues within the network on connectivity. Primary NAS seems to work no issues when users on inside connection are using it only, but for some reason when a wireless user connects to it there then seems to be a lag for both the wireless and inside users trying to access that NAS. NAS is running Windows 2012 Storage Server.