03-22-2019 07:39 AM
Hello
I have an issue with NAT configuration
packet-tracer input DMZ1 tcp 192.168.141.20 1212 192.168.140.20 445
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.140.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz1 in interface DMZ1
access-list dmz1 extended permit tcp object-group Servidores_DMZ1 object-group Servidores_INFRA_Usuarios_Inside object-group AWL_Ports
object-group network Servidores_DMZ1
description: Servidores de Negocio
network-object 192.168.141.0 255.255.255.0
object-group network Servidores_INFRA_Usuarios_Inside
description: servidores de Infra MZA y Usuarios
network-object 192.168.140.0 255.255.255.0
object-group service AWL_Ports tcp-udp
description: Puertos AWL
port-object range 49152 65535
port-object eq 389
port-object eq 445
port-object eq 464
port-object eq 88
port-object eq domain
port-object eq 137
port-object eq 636
port-object eq 22
port-object eq 21239
port-object eq 138
port-object eq 123
port-object eq 139
port-object eq 135
port-object eq 3389
port-object eq 3128
port-object eq 3268
port-object eq 3269
port-object eq 4343
port-object range 8530 8531
port-object eq 5722
port-object eq 5985
port-object eq www
port-object eq 443
port-object eq 8080
port-object eq echo
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map class-default
match any
policy-map global-policy
class class-default
inspect ftp
service-policy global-policy global
Additional Information:
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZ1) 1 192.168.141.0 255.255.255.0
match ip DMZ1 192.168.141.0 255.255.255.0 dmz2 any
dynamic translation to pool 1 (192.168.142.1 [Interface PAT])
translate_hits = 518, untranslate_hits = 9
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 192.168.140.0 255.255.255.0
match ip inside 192.168.140.0 255.255.255.0 DMZ1 any
dynamic translation to pool 1 (192.168.141.198 [Interface PAT])
translate_hits = 1385119, untranslate_hits = 66342
Additional Information:
Result:
input-interface: DMZ1
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
*************
nat (inside) 0 access-list 101
nat (inside) 1 192.168.140.0 255.255.255.0
nat (dmz2) 0 access-list dmz2_nat0_outbound
nat (dmz2) 1 192.168.142.0 255.255.255.0
nat (DMZ1) 0 access-list 102
nat (DMZ1) 1 192.168.141.0 255.255.255.0
nat (dmz3) 0 access-list 103
nat (dmz3) 1 10.1.1.0 255.255.255.0
nat (dmz4) 0 access-list 104
**************
global (dmz2) 1 interface
global (OUTSIDE) 1 interface
global (DMZ1) 1 interface
global (dmz3) 1 interface
global (dmz4) 1 interface
global (Internet) 1 interface
Thanks for your help
03-23-2019 08:21 AM
The RFP-drop in packet tracer could be that you are specifying an incorrect source or destination IP. What is the IP of your inside interface. Have you done any other connectivity tests other than this packet-tracer?
03-24-2019 11:02 AM
Ethernet0/3 DMZ1 192.168.141.198 255.255.255.0 CONFIG
Ethernet0/0 inside 192.168.140.198 255.255.255.0 CONFIG
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide