Re: NAT rfp-check Result: DROP

148784 · ‎03-22-2019

Hello

I have an issue with NAT configuration

packet-tracer input DMZ1 tcp 192.168.141.20 1212 192.168.140.20 445

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.140.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz1 in interface DMZ1
access-list dmz1 extended permit tcp object-group Servidores_DMZ1 object-group Servidores_INFRA_Usuarios_Inside object-group AWL_Ports
object-group network Servidores_DMZ1
description: Servidores de Negocio
network-object 192.168.141.0 255.255.255.0
object-group network Servidores_INFRA_Usuarios_Inside
description: servidores de Infra MZA y Usuarios
network-object 192.168.140.0 255.255.255.0
object-group service AWL_Ports tcp-udp
description: Puertos AWL
port-object range 49152 65535
port-object eq 389
port-object eq 445
port-object eq 464
port-object eq 88
port-object eq domain
port-object eq 137
port-object eq 636
port-object eq 22
port-object eq 21239
port-object eq 138
port-object eq 123
port-object eq 139
port-object eq 135
port-object eq 3389
port-object eq 3128
port-object eq 3268
port-object eq 3269
port-object eq 4343
port-object range 8530 8531
port-object eq 5722
port-object eq 5985
port-object eq www
port-object eq 443
port-object eq 8080
port-object eq echo
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map class-default
match any
policy-map global-policy
class class-default
inspect ftp
service-policy global-policy global
Additional Information:

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZ1) 1 192.168.141.0 255.255.255.0
match ip DMZ1 192.168.141.0 255.255.255.0 dmz2 any
dynamic translation to pool 1 (192.168.142.1 [Interface PAT])
translate_hits = 518, untranslate_hits = 9
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 192.168.140.0 255.255.255.0
match ip inside 192.168.140.0 255.255.255.0 DMZ1 any
dynamic translation to pool 1 (192.168.141.198 [Interface PAT])
translate_hits = 1385119, untranslate_hits = 66342
Additional Information:

Result:
input-interface: DMZ1
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

*************

nat (inside) 0 access-list 101
nat (inside) 1 192.168.140.0 255.255.255.0
nat (dmz2) 0 access-list dmz2_nat0_outbound
nat (dmz2) 1 192.168.142.0 255.255.255.0
nat (DMZ1) 0 access-list 102
nat (DMZ1) 1 192.168.141.0 255.255.255.0
nat (dmz3) 0 access-list 103
nat (dmz3) 1 10.1.1.0 255.255.255.0
nat (dmz4) 0 access-list 104

**************

global (dmz2) 1 interface
global (OUTSIDE) 1 interface
global (DMZ1) 1 interface
global (dmz3) 1 interface
global (dmz4) 1 interface
global (Internet) 1 interface

Thanks for your help

Marius Gunnerud · ‎03-23-2019

The RFP-drop in packet tracer could be that you are specifying an incorrect source or destination IP. What is the IP of your inside interface. Have you done any other connectivity tests other than this packet-tracer?

--
Please remember to select a correct answer and rate helpful posts

148784 · ‎03-24-2019

Ethernet0/3 DMZ1 192.168.141.198 255.255.255.0 CONFIG

Ethernet0/0 inside 192.168.140.198 255.255.255.0 CONFIG