cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2858
Views
0
Helpful
3
Replies

ASA Packet Tracer results

thrtnastrx
Level 1
Level 1

I have one configured NAT and ACL for RDP to a server.  When I test with Packet Tracer the results show a dropped packet, but in reality the policies work properly.  I can RDP from outside to inside no problem.  Why does Packet Tracer show the test as result as drop?  Am I not performing the test properly?

packet-tracer input outside tcp 8.8.8.8 3389 172.16.20.33 3389

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.20.33 using egress ifc inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object rdp any object Server1
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map sfr
match access-list sfr
policy-map global_policy
description sfr
class sfr
sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (outside,inside) source static any any destination static interface Server1 service rdp rdp
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

1 Accepted Solution

Accepted Solutions

rmedvedev
Level 1
Level 1

Hi!

You need to submit outside mapped address/port in packet tracer instead of real address/port

View solution in original post

3 Replies 3

rmedvedev
Level 1
Level 1

Hi!

You need to submit outside mapped address/port in packet tracer instead of real address/port

You need to specify the NATed IP of the server, not the private IP.  Then you should see a successful result.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Francesco Molino
VIP Alumni
VIP Alumni

Hi

You get a final drop because it seems that you have an asymmetrical nat issue. 

thanks

PS: Please don't forget to rate and b mark as correct answer if this answered your question

EDIT: i didn't looked on your command and everyone is right, you need to put your public IP and you'll have a success result instead of rpf-check drop


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: