cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1279
Views
1
Helpful
19
Replies

ASA 5506-X RPF Drop

Dmytro Chupil
Level 1
Level 1

I learning how to set-up firewall and came accross such a problem when trying to connect through web-browser to DMZSERV : 3. The packet is coming from an outside network. The device looks up its NAT table for necessary translations. 4. The packet is destined to the local (untranslated) address in a NAT statement. The NAT RPF drops the packet. I know my ACL names are kinda strange, but that's not that the problem. I read somewhere to make 1:1 NAT and did, but still no connection. Here's my asa config: 

hostname ASAFW

enable password 4IncP7vTjpaba2aF encrypted

names

!

interface GigabitEthernet1/1

nameif OUTSIDE

security-level 5

ip address 200.200.200.1 255.255.255.0

!

interface GigabitEthernet1/2

nameif INSIDE

security-level 100

ip address 172.30.25.1 255.255.255.0

!

interface GigabitEthernet1/3

nameif DMZ

security-level 50

ip address 201.201.201.1 255.255.255.0

!

interface GigabitEthernet1/4

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/5

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/6

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/7

no nameif

no security-level

no ip address

shutdown

!

interface GigabitEthernet1/8

no nameif

no security-level

no ip address

shutdown

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

shutdown

!

object network DMZ

subnet 201.201.201.0 255.255.255.0

nat (DMZ,OUTSIDE) dynamic interface

object network DMZSERV

host 201.201.201.2

nat (DMZ,OUTSIDE) static 200.200.200.1

object network NAT

subnet 172.30.25.0 255.255.255.0

nat (INSIDE,OUTSIDE) dynamic interface

object network WEB

host 202.202.202.2

!

route OUTSIDE 0.0.0.0 0.0.0.0 200.200.200.2 1

!

access-list FOR_DMZ extended permit tcp any object DMZSERV eq www

access-list FOR_DMZ extended permit tcp any object NAT

access-list FOR_DMZ_IN extended deny icmp object DMZSERV object NAT

access-list FOR_DMZ_IN extended permit ip any any

!

!

access-group FOR_DMZ in interface OUTSIDE

access-group FOR_DMZ_IN in interface DMZ

!

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect tftp

!

service-policy global_policy global

!

telnet timeout 5

1 Accepted Solution

Accepted Solutions

19 Replies 19

Delete below

object network DMZSERV

host 201.201.201.2

nat (DMZ,OUTSIDE) static 200.200.200.1

Add this instead 

Nat(dmz'outside) source static <object of real IP> <object of mapped IP>

MHM

Dmytro Chupil
Level 1
Level 1

Asa says unknown command at word "source"

Can you share screenshots 

MHM

Dmytro Chupil
Level 1
Level 1

Знімок екрана 2024-05-11 215326.png

If that so' it can packet tracer limitations 

You need to re-range order 

Remove all NAT  and config NAT in below order 

Step2

object network DMZSERV

host 201.201.201.2

nat (DMZ,OUTSIDE) static 200.200.200.1

Step1

object network DMZ

subnet 201.201.201.0 255.255.255.0

nat (DMZ,OUTSIDE) dynamic interface

 

Then make double check by 

Show run nat or show nat 

You need always see static NAT is first NAT in list

MHM

I have cleared asa config and entered all commands, but with your corrections and I still have that RPF problem

As I mention in show run nat' ypu need to see static NAT in top list' what I see is same the static come after dynamic.

Clear config and reconfig it again 

I edit the steps in my previous comment

Your issue will solve when you see staitc NAT in top list. Do steps as I mentioned and try, keep notice this packet tracer abd there is many limitations. 

MHM

@MHM Cisco World, what you're saying is completely wrong. Object NAT execution order doesn't depend on the order in which objects appear in the configuration. Kindly read documentation before replying to the forum:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/firewall/asa-914-firewall-config/nat-basics.html#ID-2090-00000065

 

tvotna
Spotlight
Spotlight
object network DMZ
subnet 201.201.201.0 255.255.255.0
nat (DMZ,OUTSIDE) dynamic interface

object network DMZSERV
host 201.201.201.2
nat (DMZ,OUTSIDE) static 200.200.200.1

The address 200.200.200.1 belongs to the outside interface of the firewall, hence you cannot use it for static NAT like this. On the other hand, you cannot remove static NAT statement completely, because the dynamic NAT rule for the subnet will come into play, and if you access 201.201.201.2 without NAT, the packet to the 201.201.201.2 would be dropped by NAT RPF check (what you observed earlier). So, you have two options here: 1) either choose another IP address for static NAT (e.g. 200.200.200.11) or 2) do port redirection if you need to publish single port on the outside, e.g.:

object network DMZSERV
host 201.201.201.2
nat (DMZ,OUTSIDE) static interface service tcp 443 443

In this case single TCP port is allocated on the outside interface IP address.

 

I have changed to and still no connection.

nat (DMZ,OUTSIDE) static 200.200.200.11

 About second option - asa shows error at word interface

1. If you changed to 200.200.200.11 and still see the error, provide packet-tracer output.

2. https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/n-commands.html#wp3072050573

I don't see the "interface" keyword on the screenshot.

 

DmytroChupil_0-1715511290922.png

About first point, could you specify me what to do, because I do not understand you fully

@Dmytro Chupil, which version are you running (show ver)? Because static NAT to "interface" should work just fine. Below is from my test ASA:

ASA(config)# object network obj-1.1.1.1
ASA(config-network-object)# nat (inside,outside) ?

network-object mode commands/options:
dynamic Specify NAT type as dynamic
static Specify NAT type as static

configure mode commands/options:
<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters
ASA(config-network-object)# nat (inside,outside) static ?

network-object mode commands/options:
A.B.C.D Mapped IP address
WORD Mapped network object/object-group name
X:X:X:X::X/<0-128> Enter an IPv6 prefix
interface Use interface address as mapped IP
ASA(config-network-object)# nat (inside,outside) static interface ?

network-object mode commands/options:
dns Use the created xlate to rewrite DNS record
ipv6 Use IPv6 address(es) as mapped IP(s)
net-to-net Use Net to net mapping of IPv4 to IPv6 address(es)
no-proxy-arp Disable proxy ARP on the egress interface
route-lookup Perform route lookup for this rule
service Define port mapping
<cr>
ASA(config-network-object)# nat (inside,outside) static interface service ?

network-object mode commands/options:
sctp SCTP to be used as transport protocol
tcp TCP to be used as transport protocol
udp UDP to be used as transport protocol
ASA(config-network-object)# nat (inside,outside) static interface service tcp 80 80

Packet-tracer:

packet-tracer input OUTSIDE tcp 1.2.3.4 12345 200.200.200.11 80 detail

Above is for the following case:

object network DMZSERV
host 201.201.201.2
nat (DMZ,OUTSIDE) static 200.200.200.11

The packet-tracer will generate a packet with the 1.2.3.4/12345 as a source and 200.200.200.11/80 as a destination and display how software processes it.

HTH

 

Dmytro Chupil
Level 1
Level 1

DmytroChupil_0-1715602400376.png

DmytroChupil_1-1715602457134.png

 

 

Review Cisco Networking for a $25 gift card