03-01-2014 07:59 AM - edited 03-11-2019 08:52 PM
Hi ,
I am using ASA 5520 version 9.1(2) and configured the static Pat to access the internal server with the specified port from the public ip address (5.x.x.x) , able to Telnet with port (telnet 6.x.x.x 8100), but cannot access the server from the 5.x.x.x , while packet tracert getting the error is rpf-check DROP .
Static Pat Config
object network object-10.10.10.1
host 10.10.10.1
nat (inside,outside) static 6.x.x.x service tcp 8100 8100
ACL
access-list inside_access_in extended permit tcp host 10.10.10.1 host 5.x.x.x eq 8100
access-list outside_access_in extended permit tcp host 5.x.x.x host 10.10.10.1 eq 8100
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
Packet-tracer
ASA-01/pri# packet-tracer input outside tcp 5.x.x.x 8100 10.10.10.1 8100 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.0.0 255.255.0.0 inside
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp host 5.x.x.x host 10.10.10.1 eq 8100
Additional Information:
Forward Flow based lookup yields rule:
in id=0x74e10a38, priority=13, domain=permit, deny=false
hits=56, user_data=0x6f4f9f80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=5.x.x.x, mask=255.255.255.255, port=0, tag=0
dst ip/id=10.10.10.1, mask=255.255.255.255, port=8100, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x73269260, priority=0, domain=nat-per-session, deny=false
hits=219318200, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x74509710, priority=0, domain=inspect-ip-options, deny=true
hits=90283841, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x74c5ba38, priority=20, domain=lu, deny=false
hits=10678572, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x74e1d520, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=12671659, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network object-10.10.10.1
nat (inside,outside) static 6.x.x.x service tcp 8100 8100
Additional Information:
Forward Flow based lookup yields rule:
out id=0x75ae3dd8, priority=6, domain=nat-reverse, deny=false
hits=15, user_data=0x75ae3ef8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=10.10.10.1, mask=255.255.255.255, port=8100, tag=0, dscp=0x0
input_ifc=outside, output_ifc=inside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA-01pri# sh nat
4 (inside) to (outside) source static object-10.10.10.1 6.x.x.x service tcp 8100 8100
translate_hits = 0, untranslate_hits = 229
Solved! Go to Solution.
03-01-2014 01:04 PM
I would think there is an issue with the server configuration, as long as the packet is reaching the server that is.
--
Please remember to rate and select a correct answer
03-01-2014 08:50 AM
The packet tracer is showing a drop because you have defined the private IP of the server. Change this to the NATed public IP of the server and you will get a correct output from the packet tracer.
--
Please remember to rate and select a correct answer
03-01-2014 11:57 AM
Hi Marius ,
Thank you for your assistance .
Used the nated IP address in packet tracer and result as below ..still sever team is blaming issue on n/w , there is any other option to find out network is reaching to the private ip address (5.x.x.x to 10.10.10.1)
ASA-01/pri# packet-tracer input outside tcp 5.x.x.x. 8100 6.x.x.x 8100
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network object-10.10.10.1
nat (inside,outside) static 6.x.x.x.x service tcp 8100 8100
Additional Information:
NAT divert to egress interface inside
Untranslate 6.x.x.x/8100 to 10.10.10.1/8100
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp host 5.x.x.x host 10.10.10.1 eq 8100
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network object-10.10.10.1
nat (inside,outside) static 6.x.x.x service tcp 8100 8100
Additional Information:
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 216899202, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
03-01-2014 12:01 PM
As per the packet tracer traffic from 5.x.x.x to 6.x.x.x on port 8100 is permitted through the ASA
--
Please remember to rate and select a correct answer
03-01-2014 12:06 PM
Also issue the command show xlate 10.10.10.1 and make sure that the server is being NATed to the correct IP.
--
Please remember to rate and select a correct answer
03-01-2014 12:13 PM
Thanks for quick response ,
ASA-01/pri# show xlate | inc 10.10.10.1
TCP PAT from inside:10.10.10.1 8100-8100 to outside:6.x.x.x 8100-8100
03-01-2014 12:17 PM
Everything looks to be ok from the ASA perspective, but run one more packet tracer to be on the safe side
packet-tracer input outside tcp 5.x.x.x 12345 6.x.x.x 8100 detailed
I am assuming this will be successful too, but just to be sure as most PCs will send a request using a random high port number.
--
Please remember to rate and select a correct answer
03-01-2014 12:27 PM
ASA-01/pri# packet-tracer input outside tcp 5.x.x.x 12345 6.x.x.x 8100 detailed
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network object-10.10.10.1-1
nat (inside,outside) static 6.x.x.x service tcp 8100 8100
Additional Information:
NAT divert to egress interface inside
Untranslate 6.x.x.x/8100 to 10.10.10.1/8100
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp host 5.x.x.x host 10.10.10.1 eq 8100
Additional Information:
Forward Flow based lookup yields rule:
in id=0x75463aa8, priority=13, domain=permit, deny=false
hits=13, user_data=0x6f4fa280, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=5.x.x.x, mask=255.255.255.255, port=0, tag=0
dst ip/id=10.10.10.1, mask=255.255.255.255, port=8100, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x73269260, priority=0, domain=nat-per-session, deny=false
hits=219392514, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x74509710, priority=0, domain=inspect-ip-options, deny=true
hits=90342414, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x74c5ba38, priority=20, domain=lu, deny=false
hits=10688696, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x74e1d520, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=12684409, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network object-10.10.10.1
nat (inside,outside) static 6.x.x.x service tcp 8100 8100
Additional Information:
Forward Flow based lookup yields rule:
out id=0x762fc120, priority=6, domain=nat-reverse, deny=false
hits=41, user_data=0x73130810, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=10.10.10.1, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=inside
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x73269260, priority=0, domain=nat-per-session, deny=false
hits=219392516, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x6d8d7620, priority=0, domain=inspect-ip-options, deny=true
hits=143310603, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 216909225, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
03-01-2014 12:33 PM
From these outputs I would say the problem lies either with the server or between the ASA and the server. If they want you to give more proof run a packet capture. You should see the packet enter the outside interface destined for 6.x.x.x port 8100 and leave the ASA inside interface destined for 10.10.10.1 port 8100. If you see return traffic enter the inside interface and leave the outside interface then I would check with your ISP to see if they are blocking certain types of traffic.
But as i said I doubt you will see the return traffic.
--
Please remember to rate and select a correct answer
03-01-2014 12:43 PM
They are using an ACE load balancer for Servers and 10.10.10.1 is VIP for servers .
03-01-2014 12:45 PM
Then I would tell them that the packet is permitted through the ASA in both directions and that they should double check their config.
--
Please remember to rate and select a correct answer
03-01-2014 12:53 PM
Nothing to do on ACE and need to b check on server side right ?
03-01-2014 01:04 PM
I would think there is an issue with the server configuration, as long as the packet is reaching the server that is.
--
Please remember to rate and select a correct answer
03-07-2014 09:00 AM
Thanks Marius
As you said , it was server configuration issue .
03-07-2014 09:02 AM
Glad you got it sorted out
--
Please remember to rate and select a correct answer
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: