Subtype: rpf-check - drop on NAT ASA 8.4

pemasirid — Mon, 11 Mar 2019 21:21:30 GMT

Hi,

We have following static PAT configured on ASA (ver 8.4), we can telnet from outside to the nated local ip address, however when we do the packet-trace from outside interface it got drop at the NAT rule level (see bellow), however when we do the packet-trace from inside it allowed every steps. Also we cant telnet from one of the outside ip address which is in the same subnet of outside interface, however we can telnet from anywhere outside (from the internet).

below is the nat/acl configuraiton

--------------------------------------------

object network inside-net

nat (inside,outside) dynamic interface

object network inside-net2

nat (inside,outside) dynamic interface

object network ue

nat (inside,outside) static interface service tcp telnet telnet

object network ue-ssh

nat (inside,outside) static interface service tcp ssh ssh

access-list outside extended permit ip any host 172.20.4.187 log

Below is the packet-tracer output

---------------------------------------------

XXX-SA5550-CORP-INT-F03# packet-tracer input outside tcp 78.101.207.81 telnet 172.20.4.187 telnet detailed

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 172.20.4.184 255.255.255.248 inside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside in interface outside

access-list outside extended permit ip any host 172.20.4.187 log

Additional Information:

Forward Flow based lookup yields rule:

in id=0x242d17c8, priority=13, domain=permit, deny=false

hits=140, user_data=0x1d9ef140, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=172.20.4.187, mask=255.255.255.255, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x2485deb0, priority=0, domain=inspect-ip-options, deny=true

hits=21884, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 4

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x24a6d280, priority=20, domain=lu, deny=false

hits=139, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 5

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network ue

nat (inside,outside) static interface service tcp telnet telnet

Additional Information:

Forward Flow based lookup yields rule:

out id=0x242d87d0, priority=6, domain=nat-reverse, deny=false

hits=101, user_data=0x254e8d58, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=172.20.4.187, mask=255.255.255.255, port=23, dscp=0x0

input_ifc=outside, output_ifc=inside

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Here is show xlate outuput

--------------------------------------

XXXX-ASA5550-CORP-INT-F03# sh xlate

3 in use, 114 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

TCP PAT from inside:172.20.4.187 23-23 to outside:78.100.72.220 23-23

flags sr idle 0:00:42 timeout 0:00:00

TCP PAT from inside:172.20.4.187 22-22 to outside:78.100.72.220 22-22

flags sr idle 0:13:03 timeout 0:00:00

So my questions again are:

why is the packet tracer failed even I can telent from outside to inside nated ip..?

why im not able to telnet from the same subnet of ASA outside interface, it shouldn't i considered as one of the outside IPs?.

Appreciate if some one can advise on this please.

thanks in advance

Subtype: rpf-check - drop on NAT ASA 8.4

pemasirid — Wed, 07 Sep 2011 21:03:52 GMT

Hi,

We figured out the packet-tracer drop issue, that was actualy due to our destination IP address. We used the real ip instead of Nated IP.

However with the same static PAT I cant still telnet from a source as with the same subnet IP address.?.

object network ue

nat (inside,outside) static interface service tcp telnet telnet

** assume outside interface ip is 10.10.10.220 and I'm tring to telnet from a source ip as 10.10.10.218. If the ACL is allowed as "access-list outside extended permit ip any host 172.20.4.187" why can't I telnet with the source ip from the same subnet from outside interface ip address..?

thanks

Subtype: rpf-check - drop on NAT ASA 8.4

Peter Long — Tue, 14 Jan 2014 09:13:04 GMT

Yes Its use of the NATTED (Translated) IP Address that does this, I had this very problem today.

Packet-Tracer Fails Phase 7 Subtype: rpf-check Result: DROP

Pete

Subtype: rpf-check - drop on NAT ASA 8.4

prateeve — Tue, 14 Jan 2014 14:13:34 GMT

Hi,

By default , you are not allowed to telnet the lowest security interface of ASA. That's the security feature of ASA.

- Prateek Verma

topic Subtype: rpf-check - drop on NAT ASA 8.4 in Network Security

Subtype: rpf-check - drop on NAT ASA 8.4

Subtype: rpf-check - drop on NAT ASA 8.4

Subtype: rpf-check - drop on NAT ASA 8.4

Subtype: rpf-check - drop on NAT ASA 8.4