06-29-2012 07:26 AM - edited 03-11-2019 04:24 PM
Hi,
I am having a NAT issue an I am not sure what is going on. I have tried configuring nat exempt but that didn't solve the issue.
ASA 5520
version 8.2
My client has the inside network on interface gig0/1.100 and the guest network on gig0/2.200. The whole 10.77.1.0/24 network needs to be able to reach the server with IP 10.47.47.80 using HTTP. The access list is in place ont the guest interface to allow traffic to the server. The problem is that when I do a packet trace to see the traffic flow, it is dropped on a NAT rpf-check.
NAT control is disabled.
fw-001# packet-tracer input languest tcp 10.77.1.2 4444 10.47.47.80 www detail
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.47.32.0 255.255.224.0 inside
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.77.1.0 255.255.255.0 languest
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group languest in interface languest
access-list languest extended permit tcp 10.77.0.0 255.255.0.0 host 10.47.47.80 eq www
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcf9a8d68, priority=12, domain=permit, deny=false
hits=24, user_data=0xca3a2880, cs_id=0x0, flags=0x0, protocol=6
src ip=10.77.0.0, mask=255.255.0.0, port=0
dst ip=10.47.47.80, mask=255.255.255.255, port=80, dscp=0x0
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcccf80d0, priority=0, domain=inspect-ip-options, deny=true
hits=20976, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc9d9560, priority=21, domain=lu, deny=true
hits=29, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=80, dscp=0x0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (languest,telenorguest) 10.77.1.0 10.77.1.0 netmask 255.255.255.0
match ip languest 10.77.1.0 255.255.255.0 telenorguest any
static translation to 10.77.1.0
translate_hits = 3682, untranslate_hits = 6954
Additional Information:
Forward Flow based lookup yields rule:
in id=0xccd78a00, priority=5, domain=host, deny=false
hits=16886022, user_data=0xccd783c0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.77.1.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any languest any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xccd6e600, priority=1, domain=nat-reverse, deny=false
hits=25, user_data=0xccd6e390, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: languest
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Any ideas why this is happening?
Thanks
Solved! Go to Solution.
06-29-2012 07:52 AM
Hello,
Is the server on the telenorguest interface?
And you want to access it from languest interface, to need to nat the server for the telenorguest to see it.
Try with this static:
static (telenorguest,languest) 10.47.47.80 10.47.47.80
Let me know if this works for you
06-29-2012 07:52 AM
Hello,
Is the server on the telenorguest interface?
And you want to access it from languest interface, to need to nat the server for the telenorguest to see it.
Try with this static:
static (telenorguest,languest) 10.47.47.80 10.47.47.80
Let me know if this works for you
06-29-2012 08:01 AM
Ugh!!! so simple. I should have thought of that. thanks :-)
if it wasn't obvious, it worked.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide