Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1540
Views
10
Helpful
6
Replies

NAT RPF-check Failure

ahmad82pkn
Level 2
Level 2

‎05-03-2013 04:35 PM - edited ‎03-11-2019 06:38 PM

Hi Team.

i know in Cisco PIX til 8.2 OS, if i have Nat control disabled and ACL permitting connection from Low Secirity ( DMZ ) to High Secuurity (INSIDE) then connectino should be successful, and i dont need any STATIC identity nat of inside IP to be created.

But i have Cisco PIX 525 with  Version 7.2(2)

Which is not allowing connection from DMZ to INSIDE , although nat control is disabled. and giving RFP check failure,

any thought?

PIT525PIXINET# sh running-config nat-control

no nat-cont

packet-tracer input dmZ  tcp 192.168.85.4 65000 10.34.21.25 3389

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.0.0.0        255.0.0.0       inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group DMZ in interface DMZ

access-list DMZ extended permit ip 192.168.85.0 255.255.255.0 any

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (DMZ) 1 access-list NATDMZ

  match ip DMZ host 192.168.85.4 outside any

    dynamic translation to pool 1 (38.43.45.5)

    translate_hits = 33, untranslate_hits = 0

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 1 access-list NAT

  match ip inside 10.0.0.0 255.0.0.0 DMZ 192.168.85.0 255.255.255.0

    dynamic translation to pool 1 (192.168.85.200)

    translate_hits = 69899671, untranslate_hits = 7

Additional Information:

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Labels:
0 Helpful
6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

‎05-03-2013 04:47 PM

Hi,

Can you share the output of the following commands

show run global 1

show run nat 1

show access-list NAT-DMZ

show access-list NAT

Or alternatively show the whole running configuration.

To me it seems you have Dynamic Policy NAT/PAT configurations from "inside" to "dmz" that are causing problems.

In other words the direction "dmz" -> "inside" is fine, but on the way back "inside" -> "dmz" the traffic does hit a certain NAT rule and because of this it fails

This is causing the problems

nat (inside) 1 access-list NAT

  match ip inside 10.0.0.0 255.0.0.0 DMZ 192.168.85.0 255.255.255.0

Return traffic from "inside" to "dmz" is matching this Dynamic Policy NAT/PAT rule on the way back and the connection fails.

I guess the easiest way to look at this would be the whole configuration.

- Jouni

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-03-2013 04:49 PM

One possible solution is to configure Static Identity NAT for this single "inside" IP address to "dmz"

Or you will have to configure some NAT0 configure for this host.

OR you will have to remove the Dynamic Policy NAT/PAT towards the "dmz" interface.

- Jouni

ahmad82pkn
Level 2
Level 2

‎05-03-2013 05:03 PM

is it true in 7.2 OS that if i access inside machine 10.34.21.25 from DMZ. then response from INSIDE to DMZ should have 10.34.21.25 as Source IP in return packet?

what happening is i have a NAT rule that PAT allw traffic from 10.x.x.x (inside) to 192.168.85.200 when going to DMZ.

so when a reply is coming from inside machine 10.34.21.25 it is changed to 192.168.85.200 and firewall doesnt like it because packet was destined for 10.34.21.25 and on way back from inside to DMZ source has become 192.168.85.200 PAT IP.

if thats how firewall suppose to work, expecting same IP in source on way back form INSIDE to DMZ then i guess thats the problem.. am i right?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to ahmad82pkn

‎05-03-2013 05:13 PM

Hi,

When we are looking at the connection initiation from "dmz" to "inside" the traffic DOESNT match any NAT rule.

When the reply/return traffic from the "inside" to "dmz" is coming through the firewall it matches a Dynamic Policy PAT configuration

global (DMZ) 1 192.168.85.200

nat (inside) 1 access-list DMZNAT

or

global (DMZ) 1 interface

nat (inside) 1 access-list DMZNAT

If you dont want to remove any existing NAT rules you might need to configure NAT0 for example if the host IP addresses used in the "packet-tracer" command are the only IP addresses that need to communicate with eachother

access-list DMZ-NAT0 permit ip host 192.168.85.4 host 10.34.21.35

nat (DMZ) 0 access-list DMZ-NAT0

Naturally the host is expecting to receive the reply to the connection from the IP address to which it attempted to form the connection.

- Jouni

ahmad82pkn
Level 2
Level 2
In response to Jouni Forss

‎05-03-2013 05:20 PM

thank you for both of you, actually there were few firewalls in organization and on few only allowing ACL makes the connection and on few we need to create static identity nat + ACL.

and on few with only ACL its not working due to above issue of RFP check, so all concepts were mixed, i was clarifying all stuff, your answeres helped in clearing my understanding.

thank you very much.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to ahmad82pkn

‎05-03-2013 05:23 PM

Hi,

Glad to be of help

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card