03-22-2013 07:28 PM - edited 03-11-2019 06:18 PM
I have a ASA 5510 (ver 8.4) and I have been all over the support sites looking for what I am doing wrong. I have a sanitized cut n paste of the OBJECT, NAT, ACCESS-LIST and Packet Tracer output and it keeps failing on the NAT with a rpf-check. Once i get the SMTP flowing I have to open up HTTP and HTTPS to one of the servers also.
Any help greatly appreciated!!!
Here it is:
RVGW# sh run object
object network WiFi
subnet 172.17.100.0 255.255.255.0
description WiFi
object network inside-net
subnet 172.17.1.0 255.255.255.0
object network NOSPAM
host 172.17.1.49
object network BH2
host 172.17.1.60
RVGW# sh run nat
!
object network inside-net
nat (Inside,Outside) dynamic interface
object network NOSPAM
nat (Inside,Outside) static 5.29.79.12
object network BH2
nat (Inside,Outside) static 5.29.79.11 service tcp smtp smtp
RVGW# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list Outside_access_in; 2 elements; name hash: 0xe796c137
access-list Outside_access_in line 1 extended permit tcp any object NOSPAM eq sm tp 0x49e8de7d
access-list Outside_access_in line 1 extended permit tcp any host 172.17.1.49 eq smtp (hitcnt=3) 0x49e8de7d
access-list Outside_access_in line 2 extended permit tcp any object BH2 eq smtp 0xddf3d54c
access-list Outside_access_in line 2 extended permit tcp any host 172.17.1.60 eq smtp (hitcnt=2) 0xddf3d54c
RVGW# packet-tracer input outside tcp 4.2.2.2 25 172.17.1.49 25
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.17.1.0 255.255.255.0 Inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_access_in in interface Outside
access-list Outside_access_in extended permit tcp any object NOSPAM eq smtp
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network NOSPAM
nat (Inside,Outside) static 5.29.79.12
Additional Information:
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
RVGW#
Solved! Go to Solution.
03-23-2013 06:12 AM
hi
Please use the public IP (5.29.79.12) in packet tracer command as a destination , not the private 172.17.1.49
regards,
Mohammad
03-23-2013 06:12 AM
hi
Please use the public IP (5.29.79.12) in packet tracer command as a destination , not the private 172.17.1.49
regards,
Mohammad
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: