Hi,

Since a day ago or so I managed to somehow break all my forwarded ports. The error is "rpf-check", as if the packet would take a different way out but I fail to see how that could be the case. Can anyone share som insight in this?

# my ext-ip and internal server

object network someserver

host 10.0.0.240

object network ext-ip

host 201.201.28.20

# destination nat 8080 on ext-ip to someservers 8080, tcp.

object network someserver

nat (inside,outside) static ext-ip service tcp 8080 8080

nat (inside,outside) after-auto source dynamic any ext-ip

# Make sure it's first of the ACLs for debugging when ingressing "outside" interface (have no idea how hitcnt=1, I keep testing repeatedly from an external host but the counter doesn't increment)

access-list outside_access_in line 1 extended permit tcp any object someserver object-group DM_INLINE_TCP_2 log disable 0xaf785b68

  access-list outside_access_in line 1 extended permit tcp any host 10.0.0.240 eq www log disable (hitcnt=0) 0xbfcabb69

  access-list outside_access_in line 1 extended permit tcp any host 10.0.0.240 eq 8080 log disable (hitcnt=1) 0x8c1c69ed

# Make sure it's first of the ACLs for debugging when egressing "inside" interface

access-list inside_access_out line 1 extended permit tcp any host 10.0.0.240 object-group DM_INLINE_TCP_5 0xf82e5cf9

  access-list inside_access_out line 1 extended permit tcp any host 10.0.0.240 eq www (hitcnt=0) 0x53d6c9d3

  access-list inside_access_out line 1 extended permit tcp any host 10.0.0.240 eq 8080 (hitcnt=0) 0x09b88225

# show run nat show no hits

1 (inside) to (ownit) source static skotertech mobenga-ownit-ext-ip service tcp 8080 8080

    translate_hits = 0, untranslate_hits = 0

# a packet-tracer claims it's allowed, but rpf-check fails. Verified on "someserver" using tcpdump that no packets ever reach it

asa# packet-tracer input outside tcp 5.6.129.90 50565 10.0.0.240 8080 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc9eb6d70, priority=1, domain=permit, deny=false

hits=23728394646, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=outside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.0.0.0        255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype: log 

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any object someserver object-group DM_INLINE_TCP_2 log disable

object-group service DM_INLINE_TCP_2 tcp

group-object http

port-object eq 8080

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca788920, priority=13, domain=permit, deny=false

hits=1, user_data=0xc7d9dcb0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=10.0.0.240, mask=255.255.255.255, port=8080, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc9eb94d0, priority=0, domain=inspect-ip-options, deny=true

        hits=526056144, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 5

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc9f4a2a0, priority=20, domain=lu, deny=false

hits=31373932, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 6

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xccdb1760, priority=18, domain=flow-export, deny=false

hits=16814247, user_data=0xcbc65ed8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca5e1990, priority=13, domain=ipsec-tunnel-flow, deny=true

hits=82465316, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 8

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:      

access-group inside_access_out out interface inside

access-list inside_access_out extended permit tcp any host 10.0.0.240 object-group DM_INLINE_TCP_5

object-group service DM_INLINE_TCP_5 tcp

group-object http

port-object eq 8080

Additional Information:

Forward Flow based lookup yields rule:

out id=0xcc043d10, priority=13, domain=permit, deny=false

hits=1, user_data=0xc7d9d1c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=10.0.0.240, mask=255.255.255.255, port=8080, dscp=0x0

input_ifc=any, output_ifc=inside

Phase: 9

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network someserver

nat (inside,outside) static ext-ip service tcp 8080 8080

Additional Information:

Forward Flow based lookup yields rule:

out id=0xcc1e3190, priority=6, domain=nat-reverse, deny=false

        hits=3, user_data=0xcc77b7c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=10.0.0.240, mask=255.255.255.255, port=8080, dscp=0x0

input_ifc=outside, output_ifc=inside

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule