cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1303
Views
0
Helpful
3
Replies
Highlighted
Beginner

ASA Packet Tracer results

I have one configured NAT and ACL for RDP to a server.  When I test with Packet Tracer the results show a dropped packet, but in reality the policies work properly.  I can RDP from outside to inside no problem.  Why does Packet Tracer show the test as result as drop?  Am I not performing the test properly?

packet-tracer input outside tcp 8.8.8.8 3389 172.16.20.33 3389

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.20.33 using egress ifc inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object rdp any object Server1
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map sfr
match access-list sfr
policy-map global_policy
description sfr
class sfr
sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (outside,inside) source static any any destination static interface Server1 service rdp rdp
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Hi!

Hi!

You need to submit outside mapped address/port in packet tracer instead of real address/port

3 REPLIES 3
Beginner

Hi!

Hi!

You need to submit outside mapped address/port in packet tracer instead of real address/port

VIP Advocate

You need to specify the NATed

You need to specify the NATed IP of the server, not the private IP.  Then you should see a successful result.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
VIP Advisor

Hi

Hi

You get a final drop because it seems that you have an asymmetrical nat issue. 

thanks

PS: Please don't forget to rate and b mark as correct answer if this answered your question

EDIT: i didn't looked on your command and everyone is right, you need to put your public IP and you'll have a success result instead of rpf-check drop


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question