cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

27630
Views
0
Helpful
5
Replies
Highlighted
Beginner

ASA rpf-check DROP

Hi,

Since a day ago or so I managed to somehow break all my forwarded ports. The error is "rpf-check", as if the packet would take a different way out but I fail to see how that could be the case. Can anyone share som insight in this?

# my ext-ip and internal server

object network someserver

host 10.0.0.240

object network ext-ip

host 201.201.28.20

# destination nat 8080 on ext-ip to someservers 8080, tcp.

object network someserver

nat (inside,outside) static ext-ip service tcp 8080 8080

nat (inside,outside) after-auto source dynamic any ext-ip

# Make sure it's first of the ACLs for debugging when ingressing "outside" interface (have no idea how hitcnt=1, I keep testing repeatedly from an external host but the counter doesn't increment)

access-list outside_access_in line 1 extended permit tcp any object someserver object-group DM_INLINE_TCP_2 log disable 0xaf785b68

  access-list outside_access_in line 1 extended permit tcp any host 10.0.0.240 eq www log disable (hitcnt=0) 0xbfcabb69

  access-list outside_access_in line 1 extended permit tcp any host 10.0.0.240 eq 8080 log disable (hitcnt=1) 0x8c1c69ed

# Make sure it's first of the ACLs for debugging when egressing "inside" interface

access-list inside_access_out line 1 extended permit tcp any host 10.0.0.240 object-group DM_INLINE_TCP_5 0xf82e5cf9

  access-list inside_access_out line 1 extended permit tcp any host 10.0.0.240 eq www (hitcnt=0) 0x53d6c9d3

  access-list inside_access_out line 1 extended permit tcp any host 10.0.0.240 eq 8080 (hitcnt=0) 0x09b88225

# show run nat show no hits

1 (inside) to (ownit) source static skotertech mobenga-ownit-ext-ip service tcp 8080 8080

    translate_hits = 0, untranslate_hits = 0

# a packet-tracer claims it's allowed, but rpf-check fails. Verified on "someserver" using tcpdump that no packets ever reach it

asa# packet-tracer input outside tcp 5.6.129.90 50565 10.0.0.240 8080 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc9eb6d70, priority=1, domain=permit, deny=false

hits=23728394646, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=outside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.0.0.0        255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype: log 

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any object someserver object-group DM_INLINE_TCP_2 log disable

object-group service DM_INLINE_TCP_2 tcp

group-object http

port-object eq 8080

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca788920, priority=13, domain=permit, deny=false

hits=1, user_data=0xc7d9dcb0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=10.0.0.240, mask=255.255.255.255, port=8080, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc9eb94d0, priority=0, domain=inspect-ip-options, deny=true

        hits=526056144, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 5

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc9f4a2a0, priority=20, domain=lu, deny=false

hits=31373932, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 6

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xccdb1760, priority=18, domain=flow-export, deny=false

hits=16814247, user_data=0xcbc65ed8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca5e1990, priority=13, domain=ipsec-tunnel-flow, deny=true

hits=82465316, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 8

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:      

access-group inside_access_out out interface inside

access-list inside_access_out extended permit tcp any host 10.0.0.240 object-group DM_INLINE_TCP_5

object-group service DM_INLINE_TCP_5 tcp

group-object http

port-object eq 8080

Additional Information:

Forward Flow based lookup yields rule:

out id=0xcc043d10, priority=13, domain=permit, deny=false

hits=1, user_data=0xc7d9d1c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=10.0.0.240, mask=255.255.255.255, port=8080, dscp=0x0

input_ifc=any, output_ifc=inside

Phase: 9

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network someserver

nat (inside,outside) static ext-ip service tcp 8080 8080

Additional Information:

Forward Flow based lookup yields rule:

out id=0xcc1e3190, priority=6, domain=nat-reverse, deny=false

        hits=3, user_data=0xcc77b7c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=10.0.0.240, mask=255.255.255.255, port=8080, dscp=0x0

input_ifc=outside, output_ifc=inside

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: ASA rpf-check DROP

Hello,

Can you add the following configuration

object service TEST

service tcp source eq 8080

exit

nat (inside,outside) 1 source static someserver network-ext-ip service TEST TEST

access-list outside_access_in line 1 permit tcp any host 10.0.0.240 eq 8080

access-group outside_access_in in interface outside

Run the packet tracer again and post the result

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

5 REPLIES 5
Highlighted
Mentor

ASA rpf-check DROP

Hi,

If you are coming from public network to your local LAN then the destination IP address of the "packet-tracer" cant be a private IP address.

Please use the Mapped IP address as the destination of the "packet-tracer" command and copy/paste the output here again.

As you can see the inbound direction of the "packet-tracer" test goes through without any sort of NAT phase. Yet when it checks the reverse direction for the private IP address that you used it will naturally hit the Static PAT rule.

Generally the configuration that breaks other NAT configurations on the new ASA 8.3+ software is done in the Section 1 as Twice NAT / Manual NAT.

I usually do all Static PAT and Static NAT and Object Network NAT in Section 2

- Jouni

Highlighted
Beginner

Re: ASA rpf-check DROP

OK, I thought I was supposed to use it like that because the ACLs are written not using the actual (public) IP but the mapped IP even on the external interface. A packet-tracer against the public IP and the port just gives a deny:

asa# packet-tracer input outside tcp 5.6.129.90 50565 201.201.28.20 8080 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc9eb6d70, priority=1, domain=permit, deny=false

hits=23767585144, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=outside, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   201.201.28.16    255.255.255.248 outside

Phase: 3

Type: ACCESS-LIST

Subtype:     

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc9fb59e8, priority=11, domain=permit, deny=true

hits=27734438, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=outside, output_ifc=any

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Btw, the "show run nat show no hits" in my first post was not masked correctly. It's

# show run nat show no hits

1 (inside) to (outside) source static someserver ext-ip service tcp 8080 8080

    translate_hits = 0, untranslate_hits = 0

Highlighted

Re: ASA rpf-check DROP

Hello,

Can you add the following configuration

object service TEST

service tcp source eq 8080

exit

nat (inside,outside) 1 source static someserver network-ext-ip service TEST TEST

access-list outside_access_in line 1 permit tcp any host 10.0.0.240 eq 8080

access-group outside_access_in in interface outside

Run the packet tracer again and post the result

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Highlighted
Beginner

ASA rpf-check DROP

The packet-tracer worked, also works for real. Can you offer an explanation, surely I must have done something wrong that I can learn from?

Highlighted
Mentor

Re: ASA rpf-check DROP

Hi,

Basically to my understanding you first did your configuration with Network Object NAT and it worked and then after some NAT changes stopped working.

So far we havent seen the whole configuration when the problem was on so we can only guess what happened

If you added Julios suggested NAT configuration then the problem has been an added Section 1 NAT rule that broke the Network Object NAT rules originally.

Julios suggested Static PAT configuration that is inserted in line "1" of Section 1 would therefore override the problematic Section 1 rule that originally broke the Network Object NAT.

So this doesnt really correct the problematic configuration, just goes around it.

Generally this might happen if you use "any" parameter in the NAT configurations of Section 1 or possibly leave the "destination" configuration of Section 1 NAT blank.

But again I can only guess.

I just wrote a document on NAT 8.3+ if you  want a better explanation about the new NAT format and operation, check it out

https://supportforums.cisco.com/docs/DOC-31116

- Jouni