topic Re: NAT RPF Drop Why?? in Network Security

NAT RPF Drop Why??

z08mjk2374 — Tue, 12 Mar 2019 02:20:16 GMT

I have a pair of Cisco Anyconnect phones that can't seem to route traffic over the vpn to each other. I get a NAT RPF-Drop. I had to put a manual NAT in for section 1 to prevent the source translation to outside IP. The interfaces seem to match up. The NAT should be bidirectional. I don't get it.

Code is 8.3(2).

NAT RPF Drop Why??

Jouni Forss — Thu, 01 Aug 2013 16:43:03 GMT

Hi,

What is the purpose of the "nat" configuration that the reverse check of NAT is hitting?

Seems that the first rule hit is somekind of general NAT0 rule for all the VPN Pools perhaps and the other one is a more specific one perhaps?

Is there a possibility of perhaps temporarily removing the "nat" configuration in the "rpf-check" IF that VPN network is also included in the "nat" configuration matched first?

I would also imagine that the first matched Manual NAT rule for this VPN traffic should be matched on both direction. So this might be a bug.

- Jouni

Re: NAT RPF Drop Why??

z08mjk2374 — Thu, 01 Aug 2013 16:55:18 GMT

Seems that the first rule hit is somekind of general NAT0 rule for all the VPN Pools perhaps and the other one is a more specific one perhaps?

Are you talking about the VPN process?

Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x286ca438, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=75872441, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Does this "domain=ipsec-tunnel-flow, deny=true" mean that I've denied the VPN process? Is that the problem?

This is how it was processing packets prior to the manual NAT:

It still dies with RPF-Drop. I assumed the reason this broke was the translation to the external IP.

packet-tracer input outside udp 192.168.22.22 sip 192.168.22.30 sip

Phase: 1
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group in-inet in interface outside
access-list in-inet extended permit ip 192.168.22.0 255.255.255.0 any log debugging
Additional Information:

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj-192.168.22.0
nat (outside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.22.22/5060 to x.x.23.10/27750

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj-192.168.22.0
nat (outside,outside) dynamic interface
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

PHX5500/pri/act# packet-tracer input outside udp 172.31.2.22 sip 172.31.2.30 sip

Phase: 1

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group in-inet in interface outside

access-list in-inet extended permit ip 172.31.2.0 255.255.255.0 any log debugging

Additional Information:

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj-172.31.2.0

nat (outside,outside) dynamic interface

Additional Information:

Dynamic translate 172.31.2.22/5060 to 63.175.23.10/27750

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network obj-172.31.2.0

nat (outside,outside) dynamic interface

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Re: NAT RPF Drop Why??

Julio Carvajal — Thu, 01 Aug 2013 17:19:21 GMT

Hello,

Do you have any other NAT statement (outside,something)? Otherwise this nat will not be required.

Do you have the same-security-traffic command?

Do you have any split-tunnel-policy? If yes, are you allowing the Anyconnect Pool subnet IP address?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

NAT RPF Drop Why??

Jouni Forss — Thu, 01 Aug 2013 17:20:34 GMT

Hi,

I am not sure what that indicates. I have yet to see a Cisco document that would explain all the output. Especially since not all of the output give any explanation about what blocks some traffic.

What I just noticed in the "packet-tracer" output that you attached in the original post was that there was a mention of 2 different NAT rules

This (first match)

nat (outside,outside) source static VPN_basepool1 VPN_basepool1 destination static VPN_basepool1 VPN_basepool1 description Exempt VPN to VPN NAT

And this (rpf-check drop)

nat (outside,outside) source static VPN_pool VPN_pool destination static VPN_pool VPN_pool

So my question was mainly that is there a need for both of these?

Although I am not quite clear why it would match 2 different rules in this case I was wondering if the rule on which this traffic dropped was needed at all?

- Jouni

NAT RPF Drop Why??

z08mjk2374 — Thu, 01 Aug 2013 17:30:28 GMT

Do you have any other NAT statement (outside,something)? Otherwise this nat will not be required.

Yes. Nothing in the Manual NAT Section 1, though.

Do you have the same-security-traffic command?

Yes. same-security-traffic permit intra-interface

Do you have any split-tunnel-policy? If yes, are you allowing the Anyconnect Pool subnet IP address?

Nope. Tunnellall

NAT RPF Drop Why??

Julio Carvajal — Thu, 01 Aug 2013 17:33:02 GMT

Hello,

Okey can you share show run nat

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

NAT RPF Drop Why??

z08mjk2374 — Thu, 01 Aug 2013 17:34:08 GMT

There is one statement. Sorry for the confusion.

I did see this.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti90197

I don't think it applies to this specific case.

Re: NAT RPF Drop Why??

z08mjk2374 — Thu, 01 Aug 2013 17:44:22 GMT

Here is a sanitized sh run nat.

NAT RPF Drop Why??

Jouni Forss — Thu, 01 Aug 2013 17:47:27 GMT

Hi,

You could always try to move the Manual NAT rule to the very top of the NAT configurations in Section 1 and see if it makes any difference

no nat (outside,outside) source static VPN_basepool1 VPN_basepool1 destination static VPN_basepool1 VPN_basepool1 description Exempt VPN to VPN NAT

nat (outside,outside) 1 source static VPN_basepool1 VPN_basepool1 destination static VPN_basepool1 VPN_basepool1 description Exempt VPN to VPN NAT

Or if this is indeed some bug then perhaps updating the ASA to 8.4(x) or 9.x software level

- Jouni

NAT RPF Drop Why??

Julio Carvajal — Thu, 01 Aug 2013 17:58:59 GMT

Packet-tracer showing this:

hase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj-192.168.22.0

nat (outside,outside) dynamic interface

Additional Information:

Dynamic translate 192.168.22.22/5060 to x.x.23.10/27750

There is no

object network obj-192.168.22.0

nat (outside,outside) dynamic interface

On the configuration you sent me, did you remove that?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Re: NAT RPF Drop Why??

z08mjk2374 — Thu, 01 Aug 2013 18:59:14 GMT

Yes. I tried it both ways with the dynamic nat to the interface and the manual outside/outside and with just the outside/outside manual nat. Currently there is no dynamic nat in place.

Re: NAT RPF Drop Why??

Julio Carvajal — Thu, 01 Aug 2013 19:23:24 GMT

Hello,

Hmm and what does the packet-tracer shows without the object nat?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

NAT RPF Drop Why??

z08mjk2374 — Fri, 02 Aug 2013 17:53:19 GMT

I actually labbed this up this morning and here's what I found.

1) Running a verbatim config using 8.4(5) the nat worked properly and passed the traffic through the packet-tracer.

2) Running a verbatim config using 8.3(2) (same as the troubled firewall). I had similar results with the packet-tracer breaking communications.

3) Running a verbatim config using 8.3(2). I switched the nat statement to the very top of the manual nat

(as JouniForss suggested), and it worked.

4) Running a verbatim config using 8.3(2). I turned off all nat for the vpn pool (as jcarvaja suggested) and the connection worked.

NAT RPF Drop Why??

Jouni Forss — Fri, 02 Aug 2013 18:12:12 GMT

Hi,

I think the software version 8.3(1) and 8.3(2) are not very commonly used.

I only installed one firewall with such software at the begging when this new NAT format was introduced and after that every firewall were running some version of 8.4 and they had no problems.

So I have not faced this kind of problem before.

Seems there is some wierdnes or bug going on with the 8.3(2) software perhaps and I would imagine it would be better to move to even some 8.4(x) software as there are no huge changes. I think there might be some minor VPN related configuration format changes betweem 8.3 and 8.4 but nothing that considerable.

I guess there was some problem with the NAT ordering since just moving the rule to the top somehow corrected this situation even though it seemed to me that this should have been matched even without this.

So did you remove all NAT including the Dynamic PAT for Internet access for VPN clients and it worked? If so I guess this is how the new softwares work. If you have no matching NAT configurations for traffic in either direction, the traffic can go through without NAT as there is no "nat-control" in the ASA anymore.

Please do mark the correct replys if you feel they answered your question.

Or ask more if needed.

- Jouni