Can't ping public interface used by NAT - Cisco Community

352

Views

0

Helpful

3

Replies

Our WAN IP address is xxx.xxx.210.131, I can ping this address from the outside fine.

I have the following NAT setup that is working fine, it's nothing more than another public IP address from our block that translates to an internal web server.

object network Web_Server
nat (inside,outside) static xxx.xxx.210.137 service tcp www www

For testing purposes I would like to be able to ping these sub-interfaces as well that are setup in NATS from the outside.

When running a continuous ping from the outside I'm seeing the following in the log:

5

Apr 01 2016

11:08:24

305013

XXX.XXX.17.146

XXX.XXX.210.137

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:XXX.XXX.17.146 dst outside:XXX.XXX.210.137 (type 8, code 0) denied due to NAT reverse path failure

I've tried to allow ICMP in the access list for the above server but it didn't help. Given the error it seems like it's a NAT issue.

Thanks

3 Replies 3

Hi Tim,

It seems the traffic is dropped due to NAT RPF check.

Could you share the packet tracer output please ?

packet-tracer input out icmp <out ip> 8 0 XXX.XXX.210.137 det

Regards,

Aditya

Please rate helpful posts

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop XXX.XXX.210.137 using egress ifc outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit icmp any any

Additional Information:

Forward Flow based lookup yields rule:

in id=0x2aaad67f6f70, priority=13, domain=permit, deny=false

hits=72704, user_data=0x2aaacda57380, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj_any

nat (any,outside) dynamic interface

Additional Information:

Dynamic translate XXX.XXX.17.146/0 to XXX.XXX.210.131/53292

Forward Flow based lookup yields rule:

in id=0x2aaad5b20900, priority=6, domain=nat, deny=false

hits=13998402, user_data=0x2aaad5b1f140, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=any, output_ifc=outside

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x2aaad4f43010, priority=0, domain=nat-per-session, deny=true

hits=10582275, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x2aaad595ab80, priority=0, domain=inspect-ip-options, deny=true

hits=13370529, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0x2aaad7a4ebe0, priority=70, domain=inspect-icmp, deny=false

hits=74447, user_data=0x2aaad7a4e150, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x2aaad595a390, priority=66, domain=inspect-icmp-error, deny=false

hits=1083694, user_data=0x2aaad5959900, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 8

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x2aaad62363d0, priority=13, domain=ipsec-tunnel-flow, deny=true

hits=1181527, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 9

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network obj_any

nat (any,outside) dynamic interface

Additional Information:

Forward Flow based lookup yields rule:

out id=0x2aaad5b20da0, priority=6, domain=nat-reverse, deny=false

hits=72830, user_data=0x2aaad5b1f140, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=outside, output_ifc=any

Result:

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Tim,

Any specific reason you have it configured for port 80 only ?

object network Web_Server
nat (inside,outside) static xxx.xxx.210.137 service tcp www www

Please try this and share the results:

object network Web_Server
nat (inside,outside) static xxx.xxx.210.137

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking for a $25 gift card