Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2891
Views
0
Helpful
3
Replies

ASA Packet Tracer results

Go to solution
thrtnastrx
Level 1
Level 1

‎01-25-2017 07:01 PM - edited ‎03-12-2019 01:50 AM

I have one configured NAT and ACL for RDP to a server.  When I test with Packet Tracer the results show a dropped packet, but in reality the policies work properly.  I can RDP from outside to inside no problem.  Why does Packet Tracer show the test as result as drop?  Am I not performing the test properly?

packet-tracer input outside tcp 8.8.8.8 3389 172.16.20.33 3389

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 172.16.20.33 using egress ifc inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object rdp any object Server1
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map sfr
match access-list sfr
policy-map global_policy
description sfr
class sfr
sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (outside,inside) source static any any destination static interface Server1 service rdp rdp
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rmedvedev
Level 1
Level 1

‎01-25-2017 11:08 PM

Hi!

You need to submit outside mapped address/port in packet tracer instead of real address/port

View solution in original post

0 Helpful
3 Replies 3

Go to solution
rmedvedev
Level 1
Level 1

‎01-25-2017 11:08 PM

Hi!

You need to submit outside mapped address/port in packet tracer instead of real address/port

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎01-26-2017 12:11 AM

You need to specify the NATed IP of the server, not the private IP.  Then you should see a successful result.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎01-26-2017 04:37 AM

Hi

You get a final drop because it seems that you have an asymmetrical nat issue. 

thanks

PS: Please don't forget to rate and b mark as correct answer if this answered your question

EDIT: i didn't looked on your command and everyone is right, you need to put your public IP and you'll have a success result instead of rpf-check drop


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card