12-15-2009 01:34 PM - edited 03-11-2019 09:48 AM
This is my first post here, so I apologize if I make a mistake.
I have 3 interfaces on my ASA 5510 (Internal, External, DMZ) and I have been successful in getting traffic to flow every direciton except for DMZ to Internal.
When using Packet-Tracer and sending a packet from the DMZ to the Internal network I receive an RPF-Check error:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (IntNet) 1 10.1.0.0 255.255.0.0
match ip IntNet 10.1.0.0 255.255.0.0 DMZNet any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd69fa5f8, priority=1, domain=nat-reverse, deny=false
hits=3, user_data=0xd69fa3e0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.1.0.0, mask=255.255.0.0, port=0, dscp=0x0
So far I have limited the problem down to one line in my config
nat (IntNet) 1 10.1.0.0 255.255.0.0
But I have not been able to come up with a solution for this as of yet.
Here is my config:
ASA Version 8.0(5)
!
hostname ciscoasa
names
name 10.2.1.100 DMZECCOLink.com description NetIIS Website
name 10.2.1.101 DMZECCOGroup.com description NetIIS Website
name 10.2.1.102 DMZHazard.com.au description NetIIS Website
name 10.2.1.104 DMZVA.co.uk description NetIIS2 Website
name 10.1.2.150 DMZECCO-Vault description Vault
name 10.1.2.30 DMZECCOReport description Web Reporting Server
name 10.1.2.2 DMZECCOBES01 description Blackberry Server
name 10.1.3.70 IntECCOTS description Terminal Server
name 10.1.2.12 IntECCO-Exchange description Exchange Server
name 10.1.2.6 IntECCOMail01 description Exchange 2007
name 10.1.2.100 IntECCOESX01 description ESX Server 1
name 10.1.2.102 IntECCOESX02 description ESX Server 2
name 10.1.2.104 IntECCOESX03 description ESX Server 3
name 10.1.2.3 IntECCOBDC1 description DC with DNS
name 10.1.3.17 IntECCO-SQL description SQL 2000 Databases
name 10.1.2.34 IntECCOSQL description SQL 2005 Databases
name 216.64.172.61 ExtECCOLink.com description NetIIS Website
name 216.64.172.62 ExtECCOGroup.com description NetIIS Website
name 216.64.172.59 ExtHazard.com.au description NetIIS Website
name 216.64.172.58 ExtVA.co.uk description NetIIS2 Website
name 216.64.172.57 ExtECCO-Vault description Vault
name 216.64.172.38 ExtECCOReport description Web Reporting Server
name 216.64.172.35 ExtECCO-Exchange description Exchange Server
name 216.64.172.40 ExtECCOMail01 description Exchange 2007
name 216.64.172.41 ExtECCOBES01 description Blackberry Server
dns-guard
!
interface Ethernet0/0
description ECCO Internal
speed 100
duplex full
nameif IntNet
security-level 100
ip address 10.1.2.254 255.255.0.0
!
interface Ethernet0/1
description TWTelecom Internet
speed 100
duplex full
nameif ExtNet
security-level 1
ip address 207.170.247.122 255.255.255.252
!
interface Ethernet0/2
description DMZ Interface
nameif DMZNet
security-level 25
ip address 10.2.2.254 255.255.0.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup IntNet
dns server-group DefaultDNS
name-server IntECCOBDC1
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group icmp-type ICMPTraffic
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
object-group network ExtSMTP
network-object host ExtECCO-Exchange
network-object host ExtECCOMail01
object-group network IntSMTP
network-object host IntECCO-Exchange
network-object host IntECCOMail01
object-group network ExtSpamSoap
network-object 208.65.144.0 255.255.248.0
network-object 208.81.64.0 255.255.252.0
network-object 63.149.241.32 255.255.255.224
object-group network IntSQL
network-object host IntECCO-SQL
network-object host IntECCOSQL
object-group network DMZWebsites
network-object host DMZECCOGroup.com
network-object host DMZECCOLink.com
network-object host DMZVA.co.uk
network-object host DMZHazard.com.au
object-group network ExtWebsites
network-object host ExtECCOLink.com
network-object host ExtECCOGroup.com
network-object host ExtHazard.com.au
network-object host ExtVA.co.uk
network-object host ExtECCO-Vault
network-object host ExtECCOReport
object-group service WebPorts tcp
port-object eq www
port-object eq https
port-object eq ftp
object-group network IntESX
network-object host IntECCOESX01
network-object host IntECCOESX02
network-object host IntECCOESX03
access-list DMZACL remark Allow SQL traffic from websites to SQL servers
access-list DMZACL extended permit tcp object-group DMZWebsites object-group IntSQL eq 1433
access-list DMZACL remark Allow SMTP traffic from websites to Exchange servers
access-list DMZACL extended permit tcp object-group DMZWebsites object-group IntSMTP eq smtp
access-list DMZACL remark Deny all DMZ traffic to Internal Network
access-list DMZACL extended deny ip any host 10.1.0.0
access-list DMZACL remark Allow DMZ access to the Internet
access-list DMZACL extended permit tcp 10.2.0.0 255.255.0.0 any object-group WebPorts
access-list DMZACL remark Deny EVERYTHING
access-list DMZACL extended deny ip any any
access-list DMZACL extended permit ip any any
access-list IntACL remark Allow all HTTP traffic from Internal to DMZ
access-list IntACL extended permit tcp any object-group DMZWebsites eq www
access-list IntACL remark Deny all traffic from Internal to DMZ
access-list IntACL extended deny ip any 10.2.0.0 255.255.0.0
access-list IntACL remark Allow Internal Access to the Internet
access-list IntACL extended permit tcp any any object-group WebPorts
access-list IntACL remark MSN Messenger connection
access-list IntACL extended permit tcp any any eq 1863
access-list IntACL remark Terminal Service Connections
access-list IntACL extended permit tcp any any eq 3389
access-list IntACL remark Allow SMTP traffic from Exchange servers out
access-list IntACL extended permit tcp object-group IntSMTP any eq smtp
access-list IntACL remark ESX connection out for Time Protocol
access-list IntACL extended permit udp object-group IntESX any eq ntp
access-list IntACL remark Deny Everyting
access-list IntACL extended deny ip any any
access-list ExtACL remark Allow smtp traffic from SpamSoap to Exchange Servers
access-list ExtACL extended permit tcp object-group ExtSpamSoap object-group ExtSMTP eq smtp
access-list ExtACL remark Allow web HTTP traffic to the web servers
access-list ExtACL extended permit tcp any object-group ExtWebsites eq www
access-list ExtACL remark Allow incoming for Blackberries
access-list ExtACL extended permit tcp any host ExtECCOBES01 eq 3101
access-list ExtACL extended deny ip any any
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu IntNet 1500
mtu ExtNet 1500
mtu DMZNet 1500
mtu management 1500
ip local pool ECCOIPSECDHCP 172.16.1.1-172.16.1.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
global (ExtNet) 1 216.64.172.34 netmask 255.255.255.255
global (ExtNet) 2 216.64.172.33 netmask 255.255.255.255
nat (IntNet) 1 10.1.0.0 255.255.0.0
nat (DMZNet) 2 10.2.0.0 255.255.0.0
access-group IntACL in interface IntNet
access-group ExtACL in interface ExtNet
access-group DMZACL in interface DMZNet
static (IntNet,ExtNet) ExtECCO-Exchange IntECCO-Exchange netmask 255.255.255.255
static (IntNet,ExtNet) ExtECCOMail01 IntECCOMail01 netmask 255.255.255.255
static (DMZNet,ExtNet) ExtECCOBES01 DMZECCOBES01 netmask 255.255.255.255
static (DMZNet,ExtNet) ExtECCOReport DMZECCOReport netmask 255.255.255.255
static (DMZNet,ExtNet) ExtECCO-Vault DMZECCO-Vault netmask 255.255.255.255
static (DMZNet,ExtNet) ExtVA.co.uk DMZVA.co.uk netmask 255.255.255.255
static (DMZNet,ExtNet) ExtHazard.com.au DMZHazard.com.au netmask 255.255.255.255
static (DMZNet,ExtNet) ExtECCOLink.com DMZECCOLink.com netmask 255.255.255.255
static (DMZNet,ExtNet) ExtECCOGroup.com DMZECCOGroup.com netmask 255.255.255.255
route ExtNet 0.0.0.0 0.0.0.0 207.170.247.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
This is just a test config, and I have a lot more to do to it, but I haven't made it past getting the traffic to flow properly.
The packet tracer that I am running is:
packet-tracer input DMZNet tcp 10.2.1.100 1433 10.1.3.17 1433 detail
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.0.0 255.255.0.0 IntNet
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZACL in interface DMZNet
access-list DMZACL extended permit tcp object-group DMZWebsites object-group IntSQL eq 1433
access-list DMZACL remark Allow SMTP traffic from websites to Exchange servers
object-group network DMZWebsites
network-object host DMZECCOGroup.com
network-object host DMZECCOLink.com
network-object host DMZVA.co.uk
network-object host DMZHazard.com.au
object-group network IntSQL
network-object host IntECCO-SQL
network-object host IntECCOSQL
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd6986d00, priority=12, domain=permit, deny=false
hits=4, user_data=0xd6986cc0, cs_id=0x0, flags=0x0, protocol=6
src ip=DMZECCOLink.com, mask=255.255.255.255, port=0
dst ip=IntECCO-SQL, mask=255.255.255.255, port=1433, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd6929078, priority=0, domain=permit-ip-option, deny=true
hits=5, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZNet) 2 10.2.0.0 255.255.0.0
match ip DMZNet 10.2.0.0 255.255.0.0 ExtNet any
dynamic translation to pool 2 (216.64.172.33)
translate_hits = 1, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd69fb3d0, priority=1, domain=host, deny=false
hits=11, user_data=0xd69fafc8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.2.0.0, mask=255.255.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (IntNet) 1 10.1.0.0 255.255.0.0
match ip IntNet 10.1.0.0 255.255.0.0 DMZNet any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd69fa5f8, priority=1, domain=nat-reverse, deny=false
hits=4, user_data=0xd69fa3e0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.1.0.0, mask=255.255.0.0, port=0, dscp=0x0
Result:
input-interface: DMZNet
input-status: up
input-line-status: up
output-interface: IntNet
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Any assistance would be greatly appreciated. And I hope that moving forward I can be of some assistance to others on this forum.
Thanks
Solved! Go to Solution.
12-15-2009 02:16 PM
If you want to initiate a connection from the DMZ to inside then dynamic NAT rules will not work. You will need to set up either a nat exemption or a static NAT ie.
NAT exemption
access-list NATEX permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
nat (IntNet) 0 access-list NATEX
static NAT
static (IntNet, DMZNet) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
Jon
12-15-2009 02:16 PM
If you want to initiate a connection from the DMZ to inside then dynamic NAT rules will not work. You will need to set up either a nat exemption or a static NAT ie.
NAT exemption
access-list NATEX permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
nat (IntNet) 0 access-list NATEX
static NAT
static (IntNet, DMZNet) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
Jon
12-15-2009 02:25 PM
That worked perfectly.
I added the one line of
static (IntNet,DMZNet) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
And now I have traffic that is can go from the DMZ to the Internal.
I had attempted something similar, but I had them on two seperate subnets (10.1.x.x and 10.2.x.x) and it kept failing.
You are awesome, thank you for your assistance.
12-15-2009 03:22 PM
Ken
Many thanks for the kind words and rating.
Glad you got it working.
Jon
09-20-2011 07:31 AM
I was having this same problem.
Thank you for your solution!
Worked like a charm.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide