cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2751
Views
5
Helpful
14
Replies

rpf-check DROP on ASA 5520 -ver:9.1(2)

msameerkn
Level 1
Level 1

Hi ,

I am using ASA 5520 version 9.1(2) and configured the static Pat to access the internal server with the specified port from the public ip address (5.x.x.x) , able to Telnet with port (telnet 6.x.x.x 8100), but cannot access the server from the 5.x.x.x , while packet tracert getting the error is rpf-check DROP .

draw.jpg

Static Pat Config

object network object-10.10.10.1

host 10.10.10.1

nat (inside,outside) static 6.x.x.x service tcp 8100 8100

ACL

access-list inside_access_in extended permit tcp host 10.10.10.1 host 5.x.x.x eq 8100

access-list outside_access_in extended permit tcp host 5.x.x.x host 10.10.10.1 eq 8100

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

Packet-tracer

ASA-01/pri# packet-tracer input outside tcp 5.x.x.x 8100 10.10.10.1 8100 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.0.0       255.255.0.0     inside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp host 5.x.x.x host 10.10.10.1 eq 8100

Additional Information:
Forward Flow based lookup yields rule:
in  id=0x74e10a38, priority=13, domain=permit, deny=false
        hits=56, user_data=0x6f4f9f80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=5.x.x.x, mask=255.255.255.255, port=0, tag=0
        dst ip/id=10.10.10.1, mask=255.255.255.255, port=8100, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x73269260, priority=0, domain=nat-per-session, deny=false
        hits=219318200, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x74509710, priority=0, domain=inspect-ip-options, deny=true
        hits=90283841, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x74c5ba38, priority=20, domain=lu, deny=false
        hits=10678572, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x74e1d520, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=12671659, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network object-10.10.10.1

nat (inside,outside) static 6.x.x.x service tcp 8100 8100
Additional Information:
Forward Flow based lookup yields rule:
out id=0x75ae3dd8, priority=6, domain=nat-reverse, deny=false
        hits=15, user_data=0x75ae3ef8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=10.10.10.1, mask=255.255.255.255, port=8100, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=inside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA-01pri# sh nat

4 (inside) to (outside) source static object-10.10.10.1 6.x.x.x   service tcp 8100 8100

    translate_hits = 0, untranslate_hits = 229

1 Accepted Solution

Accepted Solutions

I would think there is an issue with the server configuration, as long as the packet is reaching the server that is.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

14 Replies 14

The packet tracer is showing a drop because you have defined the private IP of the server.  Change this to the NATed public IP of the server and you will get a correct output from the packet tracer.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Hi Marius ,

Thank you for your assistance .

Used the nated IP address in packet tracer and result as below  ..still sever team is blaming issue on n/w , there is any other option to find out network is reaching to the private ip address (5.x.x.x to 10.10.10.1)

ASA-01/pri# packet-tracer input outside tcp 5.x.x.x. 8100  6.x.x.x 8100

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network object-10.10.10.1

nat (inside,outside) static 6.x.x.x.x service tcp 8100 8100

Additional Information:
NAT divert to egress interface inside
Untranslate 6.x.x.x/8100 to 10.10.10.1/8100

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp host 5.x.x.x host 10.10.10.1 eq 8100

Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network object-10.10.10.1

nat (inside,outside) static 6.x.x.x service tcp 8100 8100

Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 216899202, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

As per the packet tracer traffic from 5.x.x.x to 6.x.x.x on port 8100 is permitted through the ASA

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Also issue the command show xlate 10.10.10.1 and make sure that the server is being NATed to the correct IP.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Thanks for quick response ,

ASA-01/pri# show xlate | inc 10.10.10.1

TCP PAT from inside:10.10.10.1 8100-8100 to outside:6.x.x.x 8100-8100

Everything looks to be ok from the ASA perspective, but run one more packet tracer to be on the safe side

packet-tracer input outside tcp 5.x.x.x 12345 6.x.x.x 8100 detailed

I am assuming this will be successful too, but just to be sure as most PCs will send a request using a random high port number.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

ASA-01/pri# packet-tracer input outside tcp 5.x.x.x 12345 6.x.x.x 8100 detailed

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network object-10.10.10.1-1
nat (inside,outside) static 6.x.x.x service tcp 8100 8100
Additional Information:
NAT divert to egress interface inside
Untranslate 6.x.x.x/8100 to 10.10.10.1/8100

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp host 5.x.x.x host 10.10.10.1 eq 8100
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x75463aa8, priority=13, domain=permit, deny=false
        hits=13, user_data=0x6f4fa280, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=5.x.x.x, mask=255.255.255.255, port=0, tag=0
        dst ip/id=10.10.10.1, mask=255.255.255.255, port=8100, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x73269260, priority=0, domain=nat-per-session, deny=false
        hits=219392514, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x74509710, priority=0, domain=inspect-ip-options, deny=true
        hits=90342414, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x74c5ba38, priority=20, domain=lu, deny=false
        hits=10688696, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x74e1d520, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=12684409, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network object-10.10.10.1
nat (inside,outside) static 6.x.x.x service tcp 8100 8100
Additional Information:
Forward Flow based lookup yields rule:
out id=0x762fc120, priority=6, domain=nat-reverse, deny=false
        hits=41, user_data=0x73130810, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=10.10.10.1, mask=255.255.255.255, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=inside

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0x73269260, priority=0, domain=nat-per-session, deny=false
        hits=219392516, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0x6d8d7620, priority=0, domain=inspect-ip-options, deny=true
        hits=143310603, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 216909225, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

From these outputs I would say the problem lies either with the server or between the ASA and the server.  If they want you to give more proof run a packet capture.  You should see the packet enter the outside interface destined for 6.x.x.x port 8100 and leave the ASA inside interface destined for 10.10.10.1 port 8100.  If you see return traffic enter the inside interface and leave the outside interface then I would check with your ISP to see if they are blocking certain types of traffic.

But as i said I doubt you will see the return traffic.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

They are using an ACE load balancer for Servers and 10.10.10.1 is VIP for servers .

Then I would tell them that the packet is permitted through the ASA in both directions and that they should double check their config.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Nothing to do on ACE and need to b check on server side right ?

I would think there is an issue with the server configuration, as long as the packet is reaching the server that is.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Thanks Marius

As you said , it was server configuration issue .

Glad you got it sorted out

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: