topic ASA rpf-check DROP in Network Security

ASA rpf-check DROP

3moloz123 — Tue, 12 Mar 2019 01:16:08 GMT

Hi,

Since a day ago or so I managed to somehow break all my forwarded ports. The error is "rpf-check", as if the packet would take a different way out but I fail to see how that could be the case. Can anyone share som insight in this?

# my ext-ip and internal server

object network someserver

host 10.0.0.240

object network ext-ip

host 201.201.28.20

# destination nat 8080 on ext-ip to someservers 8080, tcp.

object network someserver

nat (inside,outside) static ext-ip service tcp 8080 8080

nat (inside,outside) after-auto source dynamic any ext-ip

# Make sure it's first of the ACLs for debugging when ingressing "outside" interface (have no idea how hitcnt=1, I keep testing repeatedly from an external host but the counter doesn't increment)

access-list outside_access_in line 1 extended permit tcp any object someserver object-group DM_INLINE_TCP_2 log disable 0xaf785b68

access-list outside_access_in line 1 extended permit tcp any host 10.0.0.240 eq www log disable (hitcnt=0) 0xbfcabb69

access-list outside_access_in line 1 extended permit tcp any host 10.0.0.240 eq 8080 log disable (hitcnt=1) 0x8c1c69ed

# Make sure it's first of the ACLs for debugging when egressing "inside" interface

access-list inside_access_out line 1 extended permit tcp any host 10.0.0.240 object-group DM_INLINE_TCP_5 0xf82e5cf9

access-list inside_access_out line 1 extended permit tcp any host 10.0.0.240 eq www (hitcnt=0) 0x53d6c9d3

access-list inside_access_out line 1 extended permit tcp any host 10.0.0.240 eq 8080 (hitcnt=0) 0x09b88225

# show run nat show no hits

1 (inside) to (ownit) source static skotertech mobenga-ownit-ext-ip service tcp 8080 8080

translate_hits = 0, untranslate_hits = 0

# a packet-tracer claims it's allowed, but rpf-check fails. Verified on "someserver" using tcpdump that no packets ever reach it

asa# packet-tracer input outside tcp 5.6.129.90 50565 10.0.0.240 8080 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc9eb6d70, priority=1, domain=permit, deny=false

hits=23728394646, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=outside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.0.0.0 255.255.255.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any object someserver object-group DM_INLINE_TCP_2 log disable

object-group service DM_INLINE_TCP_2 tcp

group-object http

port-object eq 8080

Additional Information:

Forward Flow based lookup yields rule:

in id=0xca788920, priority=13, domain=permit, deny=false

hits=1, user_data=0xc7d9dcb0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=10.0.0.240, mask=255.255.255.255, port=8080, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc9eb94d0, priority=0, domain=inspect-ip-options, deny=true

hits=526056144, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 5

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc9f4a2a0, priority=20, domain=lu, deny=false

hits=31373932, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 6

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xccdb1760, priority=18, domain=flow-export, deny=false

hits=16814247, user_data=0xcbc65ed8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xca5e1990, priority=13, domain=ipsec-tunnel-flow, deny=true

hits=82465316, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 8

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_out out interface inside

access-list inside_access_out extended permit tcp any host 10.0.0.240 object-group DM_INLINE_TCP_5

object-group service DM_INLINE_TCP_5 tcp

group-object http

port-object eq 8080

Additional Information:

Forward Flow based lookup yields rule:

out id=0xcc043d10, priority=13, domain=permit, deny=false

hits=1, user_data=0xc7d9d1c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=10.0.0.240, mask=255.255.255.255, port=8080, dscp=0x0

input_ifc=any, output_ifc=inside

Phase: 9

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network someserver

nat (inside,outside) static ext-ip service tcp 8080 8080

Additional Information:

Forward Flow based lookup yields rule:

out id=0xcc1e3190, priority=6, domain=nat-reverse, deny=false

hits=3, user_data=0xcc77b7c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=10.0.0.240, mask=255.255.255.255, port=8080, dscp=0x0

input_ifc=outside, output_ifc=inside

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ASA rpf-check DROP

Jouni Forss — Tue, 19 Mar 2013 10:52:21 GMT

Hi,

If you are coming from public network to your local LAN then the destination IP address of the "packet-tracer" cant be a private IP address.

Please use the Mapped IP address as the destination of the "packet-tracer" command and copy/paste the output here again.

As you can see the inbound direction of the "packet-tracer" test goes through without any sort of NAT phase. Yet when it checks the reverse direction for the private IP address that you used it will naturally hit the Static PAT rule.

Generally the configuration that breaks other NAT configurations on the new ASA 8.3+ software is done in the Section 1 as Twice NAT / Manual NAT.

I usually do all Static PAT and Static NAT and Object Network NAT in Section 2

- Jouni

Re: ASA rpf-check DROP

3moloz123 — Tue, 19 Mar 2013 22:26:37 GMT

OK, I thought I was supposed to use it like that because the ACLs are written not using the actual (public) IP but the mapped IP even on the external interface. A packet-tracer against the public IP and the port just gives a deny:

asa# packet-tracer input outside tcp 5.6.129.90 50565 201.201.28.20 8080 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc9eb6d70, priority=1, domain=permit, deny=false

hits=23767585144, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=outside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 201.201.28.16 255.255.255.248 outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc9fb59e8, priority=11, domain=permit, deny=true

hits=27734438, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Btw, the "show run nat show no hits" in my first post was not masked correctly. It's

# show run nat show no hits

1 (inside) to (outside) source static someserver ext-ip service tcp 8080 8080

translate_hits = 0, untranslate_hits = 0

Re: ASA rpf-check DROP

Julio Carvajal — Tue, 19 Mar 2013 23:12:38 GMT

Hello,

Can you add the following configuration

object service TEST

service tcp source eq 8080

exit

nat (inside,outside) 1 source static someserver network-ext-ip service TEST TEST

access-list outside_access_in line 1 permit tcp any host 10.0.0.240 eq 8080

access-group outside_access_in in interface outside

Run the packet tracer again and post the result

ASA rpf-check DROP

3moloz123 — Fri, 22 Mar 2013 13:56:43 GMT

The packet-tracer worked, also works for real. Can you offer an explanation, surely I must have done something wrong that I can learn from?

Re: ASA rpf-check DROP

Jouni Forss — Fri, 22 Mar 2013 14:04:56 GMT

Hi,

Basically to my understanding you first did your configuration with Network Object NAT and it worked and then after some NAT changes stopped working.

So far we havent seen the whole configuration when the problem was on so we can only guess what happened

If you added Julios suggested NAT configuration then the problem has been an added Section 1 NAT rule that broke the Network Object NAT rules originally.

Julios suggested Static PAT configuration that is inserted in line "1" of Section 1 would therefore override the problematic Section 1 rule that originally broke the Network Object NAT.

So this doesnt really correct the problematic configuration, just goes around it.

Generally this might happen if you use "any" parameter in the NAT configurations of Section 1 or possibly leave the "destination" configuration of Section 1 NAT blank.

But again I can only guess.

I just wrote a document on NAT 8.3+ if you want a better explanation about the new NAT format and operation, check it out

https://supportforums.cisco.com/docs/DOC-31116

- Jouni