11-19-2013 04:24 AM - edited 03-11-2019 08:06 PM
Hey all,
We are currently having an ASA setup as a NAT to translate outside IPs to our internal LAN IPs which is all working fine.
However our city council has a printer which sends a job through to an IP address which can no longer be accessed due to the NAT (10.100.1.20) so we need to translate that IP from 10.100 to our internal LAN IP of 172.29.8.20 however we keep getting an error message on the packet test.
rpf check dropped acl-drop flow is denied by configured rule vpn
I don't currently have access to the ASA to be able to get a show run but i was reading another question on this site and was wondering if it was relevant to my problem https://supportforums.cisco.com/thread/1003401
The solution being given by Sankar "
I believe you need the following:
access-list inside_nat0_outbound line 1 deny ip host 172.26.48.3 host 10.24.14.1
Either the above or the host on the outside should talk to the inside host using its private address (172.26.48.3) and not the translated address.
"
MAny thanks for any help.
11-19-2013 03:06 PM
I am not getting it, maybe you can explain a little better with topology map.
If what you have is an outside NAT or PAT then you need to configure a NAT exemption or static policy NAT so that you can map this address with two global address (private IP and global IP).
I need more detail.
11-21-2013 04:05 AM
Apologies if it wasn't very well explained.
We are a school that is on a city council network and recently changed providers, however our current internal IP scope clashed with another school so we had to have the ASA installed to work as a NAT.
Our admin team use a system where they login to a virtual desktop which used to send a print to the IP of 172.29.8.20 which went directly to our printer however due to moving providers the printer now sends to the IP of 10.100.1.20, the ASA is blocking this coming through (We've tested without the ASA) so we need it to translate that 10.100 IP and give it a route to 172.29 however on the packet trace we are getting the
rpf check dropped acl-drop flow is denied by configured rule vpn on the outside test and an rpf-violation - reverse route verification failed on an inside test.
Hopefully that explains it better.
Many thanks
11-21-2013 06:05 AM
Can you post the packet tracer or run it through CLI
Value our effort and rate the assistance!
11-21-2013 06:15 AM
Here is the packet trace.
TSTC-FW(config)# packet-tracer input outside tcp 10.100.104.20 9100 172.29.8.2$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.29.8.0 255.255.248.0 inside
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.100.104.0 255.255.248.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any host 172.29.8.20 eq 9100
access-list outside_access_in remark Form Pearson Exam Software
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network TSTC-Printing
nat (inside,outside) static 10.100.104.20 service tcp 9100 9100
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Many thanks
11-21-2013 06:26 AM
object network TSTC-Printing
nat (inside,outside) static 10.100.104.20 service tcp 9100 9100
The packet tracer indicated that you are coming from 10.100.104.20 to 172.29.8.20 9100 but it seems that you mapped it on the ASA to object TSTC-Printing.
Question here is, are you running the packet tracer correctly or should that NAT not be in place.
Baed on your notes:
Our admin team use a system where they login to a virtual desktop which used to send a print to the IP of 172.29.8.20 which went directly to our printer however due to moving providers the printer now sends to the IP of 10.100.1.20, the ASA is blocking this coming through (We've tested without the ASA) so we need it to translate that 10.100 IP and give it a route to 172.29
I will explain what you are posting on the packet tracer
packet-tracer input outside tcp 10.100.104.20 9100 172.29.8.20 9100
Your an IP that resides on the outside that is 10.100.104.20 and you want to connect to 172.29.8.20 on TCP port 9100
I think it is incorrect but you tell me, are connections really coming into the ASA from 10.100.104.20 to 172.29.8.20????
Value our effort and rate the assistance!
11-21-2013 06:30 AM
Unfortunately that NAT was setup by the people who installed the ASA so im not 100% sure on it
Basically that printer on the virtual desktop prints to the ip of 100.100.104.20 which is one of the assigned IPs given to our ASA (i believe we have 104.1-104.20). I need the ASA to translate that request to a printer that has an internal IP on our network of 172.29.8.20.
Many thanks for your help.
11-21-2013 06:39 AM
Then it seems that you are running the packet tracer incorrectly,
Try for example any other IP that is not the 10.100.104.20 as source, example:
packet-tracer input outside tcp 10.100.104.10 9100 172.29.8.20 9100
Let me know the result and post please.
Value our effort and rate the assistance!
11-21-2013 07:00 AM
Just tried with a different IP with the 172.29 being the destination and it came up with the same error. Is the NAT possibly set up incorrectly?
Many thanks
11-21-2013 07:33 AM
Sorry my bad, it´s like this:
packet-tracer input outside tcp 10.100.104.10 9100 10.100.104.20 9100
Value our effort and rate the assistance!
11-21-2013 08:06 AM
That trace worked fine, i only have access to the ASDM at the moment so can't copy the log but it passed the RPF and also another set of ip options look up and flow creation.
So how would i go about creating a NAT so that the print job sent to 10.100.104.20 gets forwarded onto 172.29.8.20? These are print jobs on port 9100.
Many thanks
11-21-2013 08:18 AM
That is the point, it is already created, the issue is that you were running the packet tracer incorrectly
If you want we can talk over skype: juanmh84 that is my ID, or when I get to work you can call my number, I get in around 40 min
Value our effort and rate the assistance!
11-25-2013 05:32 AM
After talking this over, it seems that your PCs are local to the printer but the login page point to the translated IP of 10.100.104.20.
Here is the configuration:
TSTC-Printing_internal
host 172.29.8.20
TSTC-Printing_NAT_IP
host 10.100.104.20
nat (inside,inside) source dynamic any interface destination static TSTC-Printing_NAT_IP TSTC-Printing_internal
Same-security-traffic permit intra-interface
If you need anything else please let me know.
Value our effort and rate the assistance!
11-25-2013 06:49 AM
If the traffic is coming from the outside you can configure the same line just define outside.
nat (outside,inside) 1 source dynamic any interface destination static TSTC-Printing_NAT_IP TSTC-Printing_internal
Value our effort and rate the assistance!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide