03-19-2013 02:17 AM - edited 03-11-2019 06:16 PM
Hi,
Since a day ago or so I managed to somehow break all my forwarded ports. The error is "rpf-check", as if the packet would take a different way out but I fail to see how that could be the case. Can anyone share som insight in this?
# my ext-ip and internal server
object network someserver
host 10.0.0.240
object network ext-ip
host 201.201.28.20
# destination nat 8080 on ext-ip to someservers 8080, tcp.
object network someserver
nat (inside,outside) static ext-ip service tcp 8080 8080
nat (inside,outside) after-auto source dynamic any ext-ip
# Make sure it's first of the ACLs for debugging when ingressing "outside" interface (have no idea how hitcnt=1, I keep testing repeatedly from an external host but the counter doesn't increment)
access-list outside_access_in line 1 extended permit tcp any object someserver object-group DM_INLINE_TCP_2 log disable 0xaf785b68
access-list outside_access_in line 1 extended permit tcp any host 10.0.0.240 eq www log disable (hitcnt=0) 0xbfcabb69
access-list outside_access_in line 1 extended permit tcp any host 10.0.0.240 eq 8080 log disable (hitcnt=1) 0x8c1c69ed
# Make sure it's first of the ACLs for debugging when egressing "inside" interface
access-list inside_access_out line 1 extended permit tcp any host 10.0.0.240 object-group DM_INLINE_TCP_5 0xf82e5cf9
access-list inside_access_out line 1 extended permit tcp any host 10.0.0.240 eq www (hitcnt=0) 0x53d6c9d3
access-list inside_access_out line 1 extended permit tcp any host 10.0.0.240 eq 8080 (hitcnt=0) 0x09b88225
# show run nat show no hits
1 (inside) to (ownit) source static skotertech mobenga-ownit-ext-ip service tcp 8080 8080
translate_hits = 0, untranslate_hits = 0
# a packet-tracer claims it's allowed, but rpf-check fails. Verified on "someserver" using tcpdump that no packets ever reach it
asa# packet-tracer input outside tcp 5.6.129.90 50565 10.0.0.240 8080 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9eb6d70, priority=1, domain=permit, deny=false
hits=23728394646, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object someserver object-group DM_INLINE_TCP_2 log disable
object-group service DM_INLINE_TCP_2 tcp
group-object http
port-object eq 8080
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca788920, priority=13, domain=permit, deny=false
hits=1, user_data=0xc7d9dcb0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=10.0.0.240, mask=255.255.255.255, port=8080, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9eb94d0, priority=0, domain=inspect-ip-options, deny=true
hits=526056144, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9f4a2a0, priority=20, domain=lu, deny=false
hits=31373932, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xccdb1760, priority=18, domain=flow-export, deny=false
hits=16814247, user_data=0xcbc65ed8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca5e1990, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=82465316, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_out out interface inside
access-list inside_access_out extended permit tcp any host 10.0.0.240 object-group DM_INLINE_TCP_5
object-group service DM_INLINE_TCP_5 tcp
group-object http
port-object eq 8080
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcc043d10, priority=13, domain=permit, deny=false
hits=1, user_data=0xc7d9d1c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=10.0.0.240, mask=255.255.255.255, port=8080, dscp=0x0
input_ifc=any, output_ifc=inside
Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network someserver
nat (inside,outside) static ext-ip service tcp 8080 8080
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcc1e3190, priority=6, domain=nat-reverse, deny=false
hits=3, user_data=0xcc77b7c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=10.0.0.240, mask=255.255.255.255, port=8080, dscp=0x0
input_ifc=outside, output_ifc=inside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Solved! Go to Solution.
03-19-2013 04:12 PM
Hello,
Can you add the following configuration
object service TEST
service tcp source eq 8080
exit
nat (inside,outside) 1 source static someserver network-ext-ip service TEST TEST
access-list outside_access_in line 1 permit tcp any host 10.0.0.240 eq 8080
access-group outside_access_in in interface outside
Run the packet tracer again and post the result
03-19-2013 03:52 AM
Hi,
If you are coming from public network to your local LAN then the destination IP address of the "packet-tracer" cant be a private IP address.
Please use the Mapped IP address as the destination of the "packet-tracer" command and copy/paste the output here again.
As you can see the inbound direction of the "packet-tracer" test goes through without any sort of NAT phase. Yet when it checks the reverse direction for the private IP address that you used it will naturally hit the Static PAT rule.
Generally the configuration that breaks other NAT configurations on the new ASA 8.3+ software is done in the Section 1 as Twice NAT / Manual NAT.
I usually do all Static PAT and Static NAT and Object Network NAT in Section 2
- Jouni
03-19-2013 03:26 PM
OK, I thought I was supposed to use it like that because the ACLs are written not using the actual (public) IP but the mapped IP even on the external interface. A packet-tracer against the public IP and the port just gives a deny:
asa# packet-tracer input outside tcp 5.6.129.90 50565 201.201.28.20 8080 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9eb6d70, priority=1, domain=permit, deny=false
hits=23767585144, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 201.201.28.16 255.255.255.248 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9fb59e8, priority=11, domain=permit, deny=true
hits=27734438, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Btw, the "show run nat show no hits" in my first post was not masked correctly. It's
# show run nat show no hits
1 (inside) to (outside) source static someserver ext-ip service tcp 8080 8080
translate_hits = 0, untranslate_hits = 0
03-19-2013 04:12 PM
Hello,
Can you add the following configuration
object service TEST
service tcp source eq 8080
exit
nat (inside,outside) 1 source static someserver network-ext-ip service TEST TEST
access-list outside_access_in line 1 permit tcp any host 10.0.0.240 eq 8080
access-group outside_access_in in interface outside
Run the packet tracer again and post the result
03-22-2013 06:56 AM
The packet-tracer worked, also works for real. Can you offer an explanation, surely I must have done something wrong that I can learn from?
03-22-2013 07:04 AM
Hi,
Basically to my understanding you first did your configuration with Network Object NAT and it worked and then after some NAT changes stopped working.
So far we havent seen the whole configuration when the problem was on so we can only guess what happened
If you added Julios suggested NAT configuration then the problem has been an added Section 1 NAT rule that broke the Network Object NAT rules originally.
Julios suggested Static PAT configuration that is inserted in line "1" of Section 1 would therefore override the problematic Section 1 rule that originally broke the Network Object NAT.
So this doesnt really correct the problematic configuration, just goes around it.
Generally this might happen if you use "any" parameter in the NAT configurations of Section 1 or possibly leave the "destination" configuration of Section 1 NAT blank.
But again I can only guess.
I just wrote a document on NAT 8.3+ if you want a better explanation about the new NAT format and operation, check it out
https://supportforums.cisco.com/docs/DOC-31116
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide