Solved: Re: ASA 5506-X RPF Drop - Page 2

Dmytro Chupil · ‎05-11-2024

I learning how to set-up firewall and came accross such a problem when trying to connect through web-browser to DMZSERV : 3. The packet is coming from an outside network. The device looks up its NAT table for necessary translations. 4. The packet is destined to the local (untranslated) address in a NAT statement. The NAT RPF drops the packet. I know my ACL names are kinda strange, but that's not that the problem. I read somewhere to make 1:1 NAT and did, but still no connection. Here's my asa config:

hostname ASAFW

enable password 4IncP7vTjpaba2aF encrypted

names

!

interface GigabitEthernet1/1

nameif OUTSIDE

security-level 5

ip address 200.200.200.1 255.255.255.0

!

interface GigabitEthernet1/2

nameif INSIDE

security-level 100

ip address 172.30.25.1 255.255.255.0

!

interface GigabitEthernet1/3

nameif DMZ

security-level 50

ip address 201.201.201.1 255.255.255.0

!

interface GigabitEthernet1/4

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/5

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/6

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/7

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/8

no nameif

no security-level

no ip address

shutdown

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

shutdown

!

object network DMZ

subnet 201.201.201.0 255.255.255.0

nat (DMZ,OUTSIDE) dynamic interface

object network DMZSERV

host 201.201.201.2

nat (DMZ,OUTSIDE) static 200.200.200.1

object network NAT

subnet 172.30.25.0 255.255.255.0

nat (INSIDE,OUTSIDE) dynamic interface

object network WEB

host 202.202.202.2

!

route OUTSIDE 0.0.0.0 0.0.0.0 200.200.200.2 1

!

access-list FOR_DMZ extended permit tcp any object DMZSERV eq www

access-list FOR_DMZ extended permit tcp any object NAT

access-list FOR_DMZ_IN extended deny icmp object DMZSERV object NAT

access-list FOR_DMZ_IN extended permit ip any any

!

access-group FOR_DMZ in interface OUTSIDE

access-group FOR_DMZ_IN in interface DMZ

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect tftp

!

service-policy global_policy global

!

telnet timeout 5

MHM Cisco World · ‎05-13-2024

Dont waste your time

It issue of NAT order

Remove dynamic NAT keep only static NAT

And try you will success.

MHM

MHM Cisco World · ‎05-14-2024

what was issue and how you solve it ?

MHM

tvotna · ‎05-13-2024

Please also provide "show firewall" output.

tvotna · ‎05-13-2024

I mean, if you see "Transparent" in the output, you need to save config to a text file and change firewall mode to Routed: "no firewall transparent". This will reload the device and erase config. Then reconfigure it as we discussed before.

tvotna · ‎05-14-2024

@Dmytro Chupil, did you succeed?