topic Re: Reg packet tracer in Network Security

Reg packet tracer

ankurs2008 — Mon, 11 Mar 2019 17:56:32 GMT

Hi halijenn / pkampana / all

A sample output of packet tracer is as follows

Please let me know what is the exact meaning of the following type of NAT Outputs

Type: NAT
Subtype: host-limits

Type: NAT
Subtype: rpf-check

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (moon) 1 0.0.0.0 0.0.0.0
match ip moon any aviod any
    dynamic translation to pool 1 (172.17.10.2)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4cef4b8, priority=1, domain=nat, deny=false
        hits=2746, user_data=0x4cef448, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (moon) 1 0.0.0.0 0.0.0.0
match ip moon any moon any
    dynamic translation to pool 1 (10.0.0.2)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4ceeda8, priority=1, domain=host, deny=false
        hits=9082, user_data=0x4ceeb98, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (aviod) 1 0.0.0.0 0.0.0.0
match ip aviod any moon any
    dynamic translation to pool 1 (10.0.0.2)
    translate_hits = 86, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0x4cf41a8, priority=1, domain=nat-reverse, deny=false
        hits=2746, user_data=0x4cf4008, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:
input-interface: moon
input-status: up
input-line-status: up
output-interface: aviod
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Reg packet tracer

Panos Kampanakis — Wed, 09 Jun 2010 00:02:45 GMT

This is probably because your packets hit a rule inbound but the return traffic will hit another one.

Is it ASA 8.3?

Check the order of your nat statements and which ones you would hit for forward and backwards flow.

Re: Reg packet tracer

ankurs2008 — Wed, 09 Jun 2010 00:57:58 GMT

thanks for the response . please find attached the config containing the nat order .Also i need to know the meaning of host-limits over here as well as

rpf-check.The ASA Software version is 7.2(3)

Type: NAT
Subtype: host-limits

Type: NAT
Subtype: rpf-check

Re: Reg packet tracer

ankurs2008 — Wed, 09 Jun 2010 23:14:46 GMT

please look into this and reply to my query

Re: Reg packet tracer

ankurs2008 — Thu, 10 Jun 2010 22:12:38 GMT

hi all

need urgent help on this , can anyone please explain my query

Re: Reg packet tracer

edadios — Thu, 10 Jun 2010 22:59:20 GMT

The poroblem I see is that moon and aviod are same security interface, but you are also doing nat 1 for everything from either interface and also have global 1 configured.

One thing you can try is to create an identity NAT to itself for traffic going from either interface.

static (moon,aviod) 10.0.0.0 10.0.0.0 netmask 255.255.0.0

static ( aviod,moon) 172.17.10.0 172.17.10.0 255.255.255.0

then do clear xlate. and try again.

If there is still problems, you can think of changing the sequence numbers you are using for the nat and global for the moon and the aviod interface, so they are not doing dynamic nat when going between interface.

rpf is reverse path forwarding check

host limit is the number of host limit for nat

Regards,