03-22-2013 07:28 PM - edited 03-11-2019 06:18 PM
I have a ASA 5510 (ver 8.4) and I have been all over the support sites looking for what I am doing wrong. I have a sanitized cut n paste of the OBJECT, NAT, ACCESS-LIST and Packet Tracer output and it keeps failing on the NAT with a rpf-check. Once i get the SMTP flowing I have to open up HTTP and HTTPS to one of the servers also.
Any help greatly appreciated!!!
Here it is:
RVGW# sh run object
object network WiFi
subnet 172.17.100.0 255.255.255.0
description WiFi
object network inside-net
subnet 172.17.1.0 255.255.255.0
object network NOSPAM
host 172.17.1.49
object network BH2
host 172.17.1.60
RVGW# sh run nat
!
object network inside-net
nat (Inside,Outside) dynamic interface
object network NOSPAM
nat (Inside,Outside) static 5.29.79.12
object network BH2
nat (Inside,Outside) static 5.29.79.11 service tcp smtp smtp
RVGW# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list Outside_access_in; 2 elements; name hash: 0xe796c137
access-list Outside_access_in line 1 extended permit tcp any object NOSPAM eq sm tp 0x49e8de7d
access-list Outside_access_in line 1 extended permit tcp any host 172.17.1.49 eq smtp (hitcnt=3) 0x49e8de7d
access-list Outside_access_in line 2 extended permit tcp any object BH2 eq smtp 0xddf3d54c
access-list Outside_access_in line 2 extended permit tcp any host 172.17.1.60 eq smtp (hitcnt=2) 0xddf3d54c
RVGW# packet-tracer input outside tcp 4.2.2.2 25 172.17.1.49 25
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.17.1.0 255.255.255.0 Inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_access_in in interface Outside
access-list Outside_access_in extended permit tcp any object NOSPAM eq smtp
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network NOSPAM
nat (Inside,Outside) static 5.29.79.12
Additional Information:
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
RVGW#
Solved! Go to Solution.
03-23-2013 06:12 AM
hi
Please use the public IP (5.29.79.12) in packet tracer command as a destination , not the private 172.17.1.49
regards,
Mohammad
03-23-2013 06:12 AM
hi
Please use the public IP (5.29.79.12) in packet tracer command as a destination , not the private 172.17.1.49
regards,
Mohammad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide