01-25-2017 07:01 PM - edited 03-12-2019 01:50 AM
I have one configured NAT and ACL for RDP to a server. When I test with Packet Tracer the results show a dropped packet, but in reality the policies work properly. I can RDP from outside to inside no problem. Why does Packet Tracer show the test as result as drop? Am I not performing the test properly?
packet-tracer input outside tcp 8.8.8.8 3389 172.16.20.33 3389
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.20.33 using egress ifc inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object rdp any object Server1
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map sfr
match access-list sfr
policy-map global_policy
description sfr
class sfr
sfr fail-open
service-policy global_policy global
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (outside,inside) source static any any destination static interface Server1 service rdp rdp
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Solved! Go to Solution.
01-25-2017 11:08 PM
Hi!
You need to submit outside mapped address/port in packet tracer instead of real address/port
01-25-2017 11:08 PM
Hi!
You need to submit outside mapped address/port in packet tracer instead of real address/port
01-26-2017 12:11 AM
You need to specify the NATed IP of the server, not the private IP. Then you should see a successful result.
--
Please remember to select a correct answer and rate helpful posts
01-26-2017 04:37 AM
Hi
You get a final drop because it seems that you have an asymmetrical nat issue.
thanks
PS: Please don't forget to rate and b mark as correct answer if this answered your question
EDIT: i didn't looked on your command and everyone is right, you need to put your public IP and you'll have a success result instead of rpf-check drop
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: