topic NAT RPF-check Failure in Network Security

NAT RPF-check Failure

ahmad82pkn — Tue, 12 Mar 2019 01:38:30 GMT

Hi Team.

i know in Cisco PIX til 8.2 OS, if i have Nat control disabled and ACL permitting connection from Low Secirity ( DMZ ) to High Secuurity (INSIDE) then connectino should be successful, and i dont need any STATIC identity nat of inside IP to be created.

But i have Cisco PIX 525 with Version 7.2(2)

Which is not allowing connection from DMZ to INSIDE , although nat control is disabled. and giving RFP check failure,

any thought?

PIT525PIXINET# sh running-config nat-control

no nat-cont

packet-tracer input dmZ tcp 192.168.85.4 65000 10.34.21.25 3389

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.0.0.0 255.0.0.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group DMZ in interface DMZ

access-list DMZ extended permit ip 192.168.85.0 255.255.255.0 any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (DMZ) 1 access-list NATDMZ

match ip DMZ host 192.168.85.4 outside any

dynamic translation to pool 1 (38.43.45.5)

translate_hits = 33, untranslate_hits = 0

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 1 access-list NAT

match ip inside 10.0.0.0 255.0.0.0 DMZ 192.168.85.0 255.255.255.0

dynamic translation to pool 1 (192.168.85.200)

translate_hits = 69899671, untranslate_hits = 7

Additional Information:

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

NAT RPF-check Failure

Jouni Forss — Fri, 03 May 2013 23:47:59 GMT

Hi,

Can you share the output of the following commands

show run global 1

show run nat 1

show access-list NAT-DMZ

show access-list NAT

Or alternatively show the whole running configuration.

To me it seems you have Dynamic Policy NAT/PAT configurations from "inside" to "dmz" that are causing problems.

In other words the direction "dmz" -> "inside" is fine, but on the way back "inside" -> "dmz" the traffic does hit a certain NAT rule and because of this it fails

This is causing the problems

nat (inside) 1 access-list NAT

match ip inside 10.0.0.0 255.0.0.0 DMZ 192.168.85.0 255.255.255.0

Return traffic from "inside" to "dmz" is matching this Dynamic Policy NAT/PAT rule on the way back and the connection fails.

I guess the easiest way to look at this would be the whole configuration.

- Jouni

NAT RPF-check Failure

Jouni Forss — Fri, 03 May 2013 23:49:52 GMT

One possible solution is to configure Static Identity NAT for this single "inside" IP address to "dmz"

Or you will have to configure some NAT0 configure for this host.

OR you will have to remove the Dynamic Policy NAT/PAT towards the "dmz" interface.

- Jouni

NAT RPF-check Failure

ahmad82pkn — Sat, 04 May 2013 00:03:08 GMT

is it true in 7.2 OS that if i access inside machine 10.34.21.25 from DMZ. then response from INSIDE to DMZ should have 10.34.21.25 as Source IP in return packet?

what happening is i have a NAT rule that PAT allw traffic from 10.x.x.x (inside) to 192.168.85.200 when going to DMZ.

so when a reply is coming from inside machine 10.34.21.25 it is changed to 192.168.85.200 and firewall doesnt like it because packet was destined for 10.34.21.25 and on way back from inside to DMZ source has become 192.168.85.200 PAT IP.

if thats how firewall suppose to work, expecting same IP in source on way back form INSIDE to DMZ then i guess thats the problem.. am i right?

Re: NAT RPF-check Failure

Jouni Forss — Sat, 04 May 2013 00:13:04 GMT

Hi,

When we are looking at the connection initiation from "dmz" to "inside" the traffic DOESNT match any NAT rule.

When the reply/return traffic from the "inside" to "dmz" is coming through the firewall it matches a Dynamic Policy PAT configuration

global (DMZ) 1 192.168.85.200

nat (inside) 1 access-list DMZNAT

global (DMZ) 1 interface

nat (inside) 1 access-list DMZNAT

If you dont want to remove any existing NAT rules you might need to configure NAT0 for example if the host IP addresses used in the "packet-tracer" command are the only IP addresses that need to communicate with eachother

access-list DMZ-NAT0 permit ip host 192.168.85.4 host 10.34.21.35

nat (DMZ) 0 access-list DMZ-NAT0

Naturally the host is expecting to receive the reply to the connection from the IP address to which it attempted to form the connection.

- Jouni

NAT RPF-check Failure

ahmad82pkn — Sat, 04 May 2013 00:20:56 GMT

thank you for both of you, actually there were few firewalls in organization and on few only allowing ACL makes the connection and on few we need to create static identity nat + ACL.

and on few with only ACL its not working due to above issue of RFP check, so all concepts were mixed, i was clarifying all stuff, your answeres helped in clearing my understanding.

thank you very much.

NAT RPF-check Failure

Jouni Forss — Sat, 04 May 2013 00:23:46 GMT

Hi,

Glad to be of help

- Jouni