https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281681#M345321 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>That did the trick.&nbsp; </P><P></P><P>Thanks</P><P></P><P>Jerry</P></BODY></HTML> Fri, 02 Aug 2013 20:38:11 GMT jerry.henzel 2013-08-02T20:38:11Z https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281668#M345308 <P>Hello</P><P></P><P><SPAN>Following </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bf150c.shtml" target="_blank">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bf150c.shtml</A><SPAN> to get access to a webserver on my internal zone.</SPAN></P><P></P><P>Right now I cannot get the ASA to translate 443 from the outside to an internal IP.&nbsp; </P><P></P><P>Access going out is fine.&nbsp; I can capture the packets and see them coming in on the outside via 443.&nbsp; </P><P></P><P>Anyone with suggestions.&nbsp; Thanks</P><P></P><P>Jerry</P><P></P><P>PS - Config file attached</P><P></P><P></P><P>Packet-tracer shows:</P><P>Phase: 1</P><P>Type: CAPTURE</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>MAC Access list</P><P></P><P></P><P>Phase: 2</P><P>Type: ACCESS-LIST</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P>MAC Access list</P><P></P><P></P><P>Phase: 3</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 192.168.16.0&nbsp;&nbsp;&nbsp; 255.255.255.0&nbsp;&nbsp; inside</P><P></P><P>Phase: 4</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group outside_www in interface outside</P><P>access-list outside_www extended permit tcp any object db1 eq https </P><P>Additional Information:</P><P></P><P></P><P>Phase: 5</P><P>Type: NAT</P><P>Subtype: per-session</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 6</P><P>Type: IP-OPTIONS</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>Type: VPN</P><P>Subtype: ipsec-tunnel-flow</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 8</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group db1_pci out interface inside</P><P>access-list db1_pci extended permit ip any any </P><P>Additional Information:</P><P></P><P></P><P>Phase: 9</P><P>Type: NAT</P><P>Subtype: rpf-check</P><P>Result: DROP</P><P>Config:</P><P>object network riverroad_inside</P><P> nat (inside,outside) dynamic interface</P><P>Additional Information:</P><P></P><P>Result:</P><P>input-interface: outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: inside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P><P></P><P></P><P>Detailed output shows</P><P>Phase: 1</P><P>Type: CAPTURE</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>MAC Access list</P><P></P><P></P><P>Phase: 2</P><P>Type: ACCESS-LIST</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P>MAC Access list</P><P></P><P></P><P>Phase: 3</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 192.168.16.0&nbsp;&nbsp;&nbsp; 255.255.255.0&nbsp;&nbsp; inside</P><P></P><P>Phase: 4</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group outside_www in interface outside</P><P>access-list outside_www extended permit tcp any object db1 eq https </P><P>Additional Information:</P><P></P><P></P><P>Phase: 5</P><P>Type: NAT</P><P>Subtype: per-session</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 6</P><P>Type: IP-OPTIONS</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>Type: VPN</P><P>Subtype: ipsec-tunnel-flow</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 8</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group db1_pci out interface inside</P><P>access-list db1_pci extended permit ip any any </P><P>Additional Information:</P><P></P><P></P><P>Phase: 9</P><P>Type: NAT</P><P>Subtype: rpf-check</P><P>Result: DROP</P><P>Config:</P><P>object network riverroad_inside</P><P> nat (inside,outside) dynamic interface</P><P>Additional Information:</P><P></P><P>Result:</P><P>input-interface: outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: inside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P> Tue, 12 Mar 2019 02:20:34 GMT https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281668#M345308 jerry.henzel 2019-03-12T02:20:34Z https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281669#M345309 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Are you sure you are targetting the public IP address?</P><P></P><P>It seems to me that you might be attempting to target the servers local IP address in the "packet-tracer" command according to the output</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 01 Aug 2013 22:01:51 GMT https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281669#M345309 Jouni Forss 2013-08-01T22:01:51Z https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281670#M345310 <HTML><HEAD></HEAD><BODY><P>Hi Jouni</P><P></P><P>I ran&nbsp; packet-tracer input outside tcp 1.2.3.4 443&nbsp; 192.168.16.32 443 det with the corresponding output below</P><P></P><P>Thanks</P><P></P><P>Jerry</P><P></P><P></P><P>Phase: 1</P><P>Type: CAPTURE</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xcbd63380, priority=13, domain=capture, deny=false</P><P> hits=147540, user_data=0xcbd8f9b8, cs_id=0x0, l3_type=0x0</P><P> src mac=0000.0000.0000, mask=0000.0000.0000</P><P> dst mac=0000.0000.0000, mask=0000.0000.0000</P><P> input_ifc=outside, output_ifc=any</P><P></P><P></P><P>Phase: 2</P><P>Type: ACCESS-LIST</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xcb15acf8, priority=1, domain=permit, deny=false</P><P> hits=2188941, user_data=0x0, cs_id=0x0, l3_type=0x8</P><P> src mac=0000.0000.0000, mask=0000.0000.0000</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst mac=0000.0000.0000, mask=0100.0000.0000</P><P> input_ifc=outside, output_ifc=any</P><P></P><P></P><P>Phase: 3</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 192.168.16.0&nbsp;&nbsp;&nbsp; 255.255.255.0&nbsp;&nbsp; inside</P><P></P><P></P><P>Phase: 4</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group outside_www in interface outside</P><P>access-list outside_www extended permit tcp any object db1 eq https </P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xcbd35cf8, priority=13, domain=permit, deny=false</P><P> hits=14, user_data=0xc917a560, cs_id=0x0, use_real_addr, flags=0x0, protocol=6</P><P> src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0</P><P> dst ip/id=192.168.16.32, mask=255.255.255.254, port=443, tag=0, dscp=0x0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; input_ifc=outside, output_ifc=any</P><P></P><P></P><P>Phase: 5</P><P>Type: NAT</P><P>Subtype: per-session</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xcaa8c5a0, priority=0, domain=nat-per-session, deny=false</P><P> hits=69418, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6</P><P> src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0</P><P> dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0</P><P> input_ifc=any, output_ifc=any</P><P></P><P></P><P>Phase: 6</P><P>Type: IP-OPTIONS</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xcb160598, priority=0, domain=inspect-ip-options, deny=true</P><P> hits=60891, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0</P><P> dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0</P><P> input_ifc=outside, output_ifc=any</P><P></P><P></P><P>Phase: 7</P><P>Type: VPN</P><P>Subtype: ipsec-tunnel-flow</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xcbaae4d0, priority=13, domain=ipsec-tunnel-flow, deny=true</P><P> hits=499, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0</P><P> src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0</P><P> dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0</P><P> input_ifc=outside, output_ifc=any</P><P></P><P></P><P>Phase: 8</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group db1_pci out interface inside</P><P>access-list db1_pci extended permit ip any any </P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> out id=0xcb254968, priority=13, domain=permit, deny=false</P><P> hits=2442, user_data=0xc9179ca0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0</P><P> src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0</P><P> dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0</P><P> input_ifc=any, output_ifc=inside</P><P></P><P></P><P>Phase: 9</P><P>Type: NAT</P><P>Subtype: rpf-check</P><P>Result: DROP</P><P>Config:</P><P>object network riverroad_inside</P><P> nat (inside,outside) dynamic interface</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> out id=0xcb248478, priority=6, domain=nat-reverse, deny=false</P><P> hits=36, user_data=0xcb246c18, cs_id=0x0, use_real_addr, flags=0x0, protocol=0</P><P> src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0</P><P> dst ip/id=192.168.16.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0</P><P> input_ifc=outside, output_ifc=inside</P><P></P><P></P><P>Result:</P><P>input-interface: outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: inside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P><P></P><P></P><P>ASA1(config)# packet-tracer input outside tcp 1.2.3.4 443&nbsp; 192.168.16.32 443 det</P><P></P><P></P><P>Phase: 1</P><P>Type: CAPTURE</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xcbd63380, priority=13, domain=capture, deny=false</P><P> hits=151421, user_data=0xcbd8f9b8, cs_id=0x0, l3_type=0x0</P><P> src mac=0000.0000.0000, mask=0000.0000.0000</P><P> dst mac=0000.0000.0000, mask=0000.0000.0000</P><P> input_ifc=outside, output_ifc=any</P><P></P><P></P><P>Phase: 2</P><P>Type: ACCESS-LIST</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xcb15acf8, priority=1, domain=permit, deny=false</P><P> hits=2191219, user_data=0x0, cs_id=0x0, l3_type=0x8</P><P> src mac=0000.0000.0000, mask=0000.0000.0000</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dst mac=0000.0000.0000, mask=0100.0000.0000</P><P> input_ifc=outside, output_ifc=any</P><P></P><P></P><P>Phase: 3</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 192.168.16.0&nbsp;&nbsp;&nbsp; 255.255.255.0&nbsp;&nbsp; inside</P><P></P><P></P><P>Phase: 4</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group outside_www in interface outside</P><P>access-list outside_www extended permit tcp any object db1 eq https </P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xcbd35cf8, priority=13, domain=permit, deny=false</P><P> hits=15, user_data=0xc917a560, cs_id=0x0, use_real_addr, flags=0x0, protocol=6</P><P> src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0</P><P> dst ip/id=192.168.16.32, mask=255.255.255.254, port=443, tag=0, dscp=0x0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; input_ifc=outside, output_ifc=any</P><P></P><P></P><P>Phase: 5</P><P>Type: NAT</P><P>Subtype: per-session</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xcaa8c5a0, priority=0, domain=nat-per-session, deny=false</P><P> hits=69453, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6</P><P> src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0</P><P> dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0</P><P> input_ifc=any, output_ifc=any</P><P></P><P></P><P>Phase: 6</P><P>Type: IP-OPTIONS</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xcb160598, priority=0, domain=inspect-ip-options, deny=true</P><P> hits=60928, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0</P><P> dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0</P><P> input_ifc=outside, output_ifc=any</P><P></P><P></P><P>Phase: 7</P><P>Type: VPN</P><P>Subtype: ipsec-tunnel-flow</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> in&nbsp; id=0xcbaae4d0, priority=13, domain=ipsec-tunnel-flow, deny=true</P><P> hits=500, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0</P><P> src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0</P><P> dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0</P><P> input_ifc=outside, output_ifc=any</P><P></P><P></P><P>Phase: 8</P><P>Type: ACCESS-LIST</P><P>Subtype: log</P><P>Result: ALLOW</P><P>Config:</P><P>access-group db1_pci out interface inside</P><P>access-list db1_pci extended permit ip any any </P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> out id=0xcb254968, priority=13, domain=permit, deny=false</P><P> hits=2443, user_data=0xc9179ca0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0</P><P> src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0</P><P> dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0</P><P> input_ifc=any, output_ifc=inside</P><P></P><P></P><P>Phase: 9</P><P>Type: NAT</P><P>Subtype: rpf-check</P><P>Result: DROP</P><P>Config:</P><P>object network riverroad_inside</P><P> nat (inside,outside) dynamic interface</P><P>Additional Information:</P><P> Forward Flow based lookup yields rule:</P><P> out id=0xcb248478, priority=6, domain=nat-reverse, deny=false</P><P> hits=37, user_data=0xcb246c18, cs_id=0x0, use_real_addr, flags=0x0, protocol=0</P><P> src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0</P><P> dst ip/id=192.168.16.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0</P><P> input_ifc=outside, output_ifc=inside</P><P></P><P></P><P>Result:</P><P>input-interface: outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: inside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P></BODY></HTML> Thu, 01 Aug 2013 22:13:15 GMT https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281670#M345310 jerry.henzel 2013-08-01T22:13:15Z https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281671#M345311 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You need to use the public IP address NOT the real IP address as the destination.</P><P></P><P>You are simulating a packet coming from the Internet towards the server so its destination IP address will naturally be the public IP address.</P><P></P><P>So change the destination IP address in the <STRONG>"packet-tracer"</STRONG> command to the public IP address you are using.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 01 Aug 2013 22:16:44 GMT https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281671#M345311 Jouni Forss 2013-08-01T22:16:44Z https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281672#M345312 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Got you. Think I am getting brain-dead today.</P><P></P><P>Looks better.&nbsp; Sounds like it points to an ACL issue</P><P></P><P>Thanks</P><P></P><P>Jerry</P><P></P><P>ASA1(config-network-object)# packet-tracer input outside tcp 66.208.204.49 443 192.168.16.32 443 </P><P></P><P></P><P>Phase: 1</P><P>Type: CAPTURE</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>MAC Access list</P><P></P><P></P><P>Phase: 2</P><P>Type: ACCESS-LIST</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P>MAC Access list</P><P></P><P></P><P>Phase: 3</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 192.168.16.0&nbsp;&nbsp;&nbsp; 255.255.255.0&nbsp;&nbsp; inside</P><P></P><P>Phase: 4</P><P>Type: ACCESS-LIST</P><P>Subtype: </P><P>Result: DROP</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P></P><P></P><P>Result:</P><P>input-interface: outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: inside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P></BODY></HTML> Thu, 01 Aug 2013 22:35:07 GMT https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281672#M345312 jerry.henzel 2013-08-01T22:35:07Z https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281673#M345313 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The destination of the <STRONG>"packet-tracer"</STRONG> is still a Private IP address of 192.168.16.32</P><P></P><P>It should be whatever IP address is configured on the interface <STRONG>"outside"</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Thu, 01 Aug 2013 22:46:20 GMT https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281673#M345313 Jouni Forss 2013-08-01T22:46:20Z https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281674#M345314 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>You are saying I should be running <SPAN style="font-size: 10pt;"> packet-tracer input outside tcp 192.168.16.32 443 66.208.204.49 443</SPAN></P><P></P><P>Thanks</P><P></P><P>Jerry</P></BODY></HTML> Thu, 01 Aug 2013 22:53:52 GMT https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281674#M345314 jerry.henzel 2013-08-01T22:53:52Z https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281675#M345315 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You should be using some random source address that according to the ASAs routing table is located behind the <STRONG>"outside" </STRONG>interface.</P><P></P><P>As the destination address you should use the public IP address used for the server in the Static PAT configuration.</P><P></P><P>So something like</P><P></P><P><STRONG>packet-tracer input outside tcp 1.1.1.1 12345 <YOUR outside="" interface="" ip=""> 443</YOUR></STRONG></P><P></P><P>I am not sure what your actual server IP address is as you have masked that</P><P></P><P><STRONG>object network webserver-tcp443</STRONG></P><P><STRONG> host xx.xx.xx.xx</STRONG></P><P></P><P>When you are configuring Static PAT it should in the following format</P><P></P><P><STRONG>object network WEB-TCP443</STRONG></P><P><STRONG> host <LOCAL ip="" address=""></LOCAL></STRONG></P><P><STRONG> nat (inside,outside) static interface service tcp 443 443</STRONG></P><P></P><P>Provided ofcourse the server is found behind <STRONG>"inside"</STRONG> interface.</P><P></P><P>- Jouni</P></BODY></HTML> Thu, 01 Aug 2013 22:59:35 GMT https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281675#M345315 Jouni Forss 2013-08-01T22:59:35Z https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281676#M345316 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>So filling in the gaps then</P><P></P><P>my outside ip is 66.208.204.49</P><P>my inside ip for the webserver is 192.168.16.32</P><P></P><P>therefore:&nbsp; packet-tracer input outside tcp 1.1.1.1 12344 66.208.204.49 44</P><P></P><P>with the following config</P><P></P><P>object network webserver-tcp443</P><P> host <SPAN style="text-decoration: line-through;">66.208.204.49 </SPAN>&nbsp; <SPAN style="font-size: 10pt;">192.168.16.32 (edit typo)</SPAN></P><P></P><P> description Webserver on DB1</P><P></P><P></P><P> nat (inside,outside) static interface&nbsp; service tcp https https </P><P></P><P>Thanks</P><P></P><P>Jerry</P></BODY></HTML> Thu, 01 Aug 2013 23:21:39 GMT https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281676#M345316 jerry.henzel 2013-08-01T23:21:39Z https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281677#M345317 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>When I run that I get an ACL error</P><P></P><P>ASA1(config)# packet-tracer input outside tcp 1.1.1.1 12345&nbsp; 66.208.204.49 443</P><P></P><P></P><P></P><P>access-group outside_www in interface outside</P><P></P><P>access-list outside_www extended permit tcp any object webserver-tcp443 eq https </P><P></P><P></P><P>Jerry</P><P></P><P></P><P></P><P>Phase: 1</P><P>Type: CAPTURE</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>MAC Access list</P><P></P><P></P><P>Phase: 2</P><P>Type: ACCESS-LIST</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P>MAC Access list</P><P></P><P></P><P>Phase: 3</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 66.208.204.49&nbsp;&nbsp; 255.255.255.255 identity</P><P></P><P>Phase: 4</P><P>Type: NAT</P><P>Subtype: per-session</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 5</P><P>Type: ACCESS-LIST</P><P>Subtype: </P><P>Result: DROP</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P></P><P></P><P>Result:</P><P>input-interface: outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: NP Identity Ifc</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P></BODY></HTML> Fri, 02 Aug 2013 00:01:46 GMT https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281677#M345317 jerry.henzel 2013-08-02T00:01:46Z https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281678#M345318 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>There should be a UN-NAT Phase as one of the very first phases.</P><P></P><P>So it seems to indicate that its not hitting the NAT rule still.</P><P></P><P>Can you remove this NAT rule</P><P></P><P><STRONG>nat (any,outside) source dynamic any interface inactive</STRONG></P><P></P><P>Even though its set as <STRONG>"inactive</STRONG>". Still its a NAT configuration you dont want to have at the very highest priority.</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 02 Aug 2013 00:10:08 GMT https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281678#M345318 Jouni Forss 2013-08-02T00:10:08Z https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281679#M345319 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I removed it.&nbsp; Does not seem to have effect.&nbsp; I was playing with it from another example and then made it inactive.&nbsp;&nbsp; Do you think the order of some of the NAT rules might be causing this?&nbsp; </P><P></P><P>Thanks</P><P></P><P>Jerry</P><P></P><P>ASA1(config)# packet-tracer input outside tcp 1.1.1.1 12345&nbsp; 66.208.204.49 443</P><P></P><P></P><P>Phase: 1</P><P>Type: CAPTURE</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>MAC Access list</P><P></P><P></P><P>Phase: 2</P><P>Type: ACCESS-LIST</P><P>Subtype: </P><P>Result: ALLOW</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P>MAC Access list</P><P></P><P></P><P>Phase: 3</P><P>Type: ROUTE-LOOKUP</P><P>Subtype: input</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P>in&nbsp;&nbsp; 66.208.204.49&nbsp;&nbsp; 255.255.255.255 identity</P><P></P><P>Phase: 4</P><P>Type: NAT</P><P>Subtype: per-session</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 5</P><P>Type: ACCESS-LIST</P><P>Subtype: </P><P>Result: DROP</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P></P><P></P><P>Result:</P><P>input-interface: outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: NP Identity Ifc</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P></BODY></HTML> Fri, 02 Aug 2013 01:49:34 GMT https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281679#M345319 jerry.henzel 2013-08-02T01:49:34Z https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281680#M345320 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The traffic simply aint matching any NAT rule on the way.</P><P></P><P>Looking at your Manual NAT rules in the configuration it seems to me that most are "static" configurations with "destination" parameters so I dont see how any of them could override this NAT</P><P></P><P>I guess we can determine if any other NAT rule is causing this by configuring the NAT in the following way. Remove the previous Network Object NAT for the TCP/443 before configuring this</P><P></P><P><STRONG>object network SERVER</STRONG></P><P><STRONG> host 192.168.16.32</STRONG></P><P></P><P><STRONG>object service HTTPS</STRONG></P><P><STRONG> service tcp source eq 443</STRONG></P><P></P><P><STRONG>nat (inside,outside) 1 source static SERVER interface service HTTPS HTTPS</STRONG></P><P></P><P>This should also do Static PAT configuration even though I personally dont use this configuration format.</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 02 Aug 2013 11:57:58 GMT https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281680#M345320 Jouni Forss 2013-08-02T11:57:58Z https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281681#M345321 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>That did the trick.&nbsp; </P><P></P><P>Thanks</P><P></P><P>Jerry</P></BODY></HTML> Fri, 02 Aug 2013 20:38:11 GMT https://community.cisco.com/t5/network-security/access-to-dmz-rpf-check-drop/m-p/2281681#M345321 jerry.henzel 2013-08-02T20:38:11Z