05-03-2013 04:35 PM - edited 03-11-2019 06:38 PM
Hi Team.
i know in Cisco PIX til 8.2 OS, if i have Nat control disabled and ACL permitting connection from Low Secirity ( DMZ ) to High Secuurity (INSIDE) then connectino should be successful, and i dont need any STATIC identity nat of inside IP to be created.
But i have Cisco PIX 525 with Version 7.2(2)
Which is not allowing connection from DMZ to INSIDE , although nat control is disabled. and giving RFP check failure,
any thought?
PIT525PIXINET# sh running-config nat-control
no nat-cont
packet-tracer input dmZ tcp 192.168.85.4 65000 10.34.21.25 3389
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.0.0.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ in interface DMZ
access-list DMZ extended permit ip 192.168.85.0 255.255.255.0 any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZ) 1 access-list NATDMZ
match ip DMZ host 192.168.85.4 outside any
dynamic translation to pool 1 (38.43.45.5)
translate_hits = 33, untranslate_hits = 0
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 access-list NAT
match ip inside 10.0.0.0 255.0.0.0 DMZ 192.168.85.0 255.255.255.0
dynamic translation to pool 1 (192.168.85.200)
translate_hits = 69899671, untranslate_hits = 7
Additional Information:
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
05-03-2013 04:47 PM
Hi,
Can you share the output of the following commands
show run global 1
show run nat 1
show access-list NAT-DMZ
show access-list NAT
Or alternatively show the whole running configuration.
To me it seems you have Dynamic Policy NAT/PAT configurations from "inside" to "dmz" that are causing problems.
In other words the direction "dmz" -> "inside" is fine, but on the way back "inside" -> "dmz" the traffic does hit a certain NAT rule and because of this it fails
This is causing the problems
nat (inside) 1 access-list NAT
match ip inside 10.0.0.0 255.0.0.0 DMZ 192.168.85.0 255.255.255.0
Return traffic from "inside" to "dmz" is matching this Dynamic Policy NAT/PAT rule on the way back and the connection fails.
I guess the easiest way to look at this would be the whole configuration.
- Jouni
05-03-2013 04:49 PM
One possible solution is to configure Static Identity NAT for this single "inside" IP address to "dmz"
Or you will have to configure some NAT0 configure for this host.
OR you will have to remove the Dynamic Policy NAT/PAT towards the "dmz" interface.
- Jouni
05-03-2013 05:03 PM
is it true in 7.2 OS that if i access inside machine 10.34.21.25 from DMZ. then response from INSIDE to DMZ should have 10.34.21.25 as Source IP in return packet?
what happening is i have a NAT rule that PAT allw traffic from 10.x.x.x (inside) to 192.168.85.200 when going to DMZ.
so when a reply is coming from inside machine 10.34.21.25 it is changed to 192.168.85.200 and firewall doesnt like it because packet was destined for 10.34.21.25 and on way back from inside to DMZ source has become 192.168.85.200 PAT IP.
if thats how firewall suppose to work, expecting same IP in source on way back form INSIDE to DMZ then i guess thats the problem.. am i right?
05-03-2013 05:13 PM
Hi,
When we are looking at the connection initiation from "dmz" to "inside" the traffic DOESNT match any NAT rule.
When the reply/return traffic from the "inside" to "dmz" is coming through the firewall it matches a Dynamic Policy PAT configuration
global (DMZ) 1 192.168.85.200
nat (inside) 1 access-list DMZNAT
or
global (DMZ) 1 interface
nat (inside) 1 access-list DMZNAT
If you dont want to remove any existing NAT rules you might need to configure NAT0 for example if the host IP addresses used in the "packet-tracer" command are the only IP addresses that need to communicate with eachother
access-list DMZ-NAT0 permit ip host 192.168.85.4 host 10.34.21.35
nat (DMZ) 0 access-list DMZ-NAT0
Naturally the host is expecting to receive the reply to the connection from the IP address to which it attempted to form the connection.
- Jouni
05-03-2013 05:20 PM
thank you for both of you, actually there were few firewalls in organization and on few only allowing ACL makes the connection and on few we need to create static identity nat + ACL.
and on few with only ACL its not working due to above issue of RFP check, so all concepts were mixed, i was clarifying all stuff, your answeres helped in clearing my understanding.
thank you very much.
05-03-2013 05:23 PM
Hi,
Glad to be of help
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide