09-07-2011 02:39 AM - edited 03-11-2019 02:21 PM
Hi,
We have following static PAT configured on ASA (ver 8.4), we can telnet from outside to the nated local ip address, however when we do the packet-trace from outside interface it got drop at the NAT rule level (see bellow), however when we do the packet-trace from inside it allowed every steps. Also we cant telnet from one of the outside ip address which is in the same subnet of outside interface, however we can telnet from anywhere outside (from the internet).
below is the nat/acl configuraiton
--------------------------------------------
object network inside-net
nat (inside,outside) dynamic interface
object network inside-net2
nat (inside,outside) dynamic interface
object network ue
nat (inside,outside) static interface service tcp telnet telnet
object network ue-ssh
nat (inside,outside) static interface service tcp ssh ssh
!
access-list outside extended permit ip any host 172.20.4.187 log
Below is the packet-tracer output
---------------------------------------------
XXX-SA5550-CORP-INT-F03# packet-tracer input outside tcp 78.101.207.81 telnet 172.20.4.187 telnet detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.20.4.184 255.255.255.248 inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit ip any host 172.20.4.187 log
Additional Information:
Forward Flow based lookup yields rule:
in id=0x242d17c8, priority=13, domain=permit, deny=false
hits=140, user_data=0x1d9ef140, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=172.20.4.187, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2485deb0, priority=0, domain=inspect-ip-options, deny=true
hits=21884, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x24a6d280, priority=20, domain=lu, deny=false
hits=139, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network ue
nat (inside,outside) static interface service tcp telnet telnet
Additional Information:
Forward Flow based lookup yields rule:
out id=0x242d87d0, priority=6, domain=nat-reverse, deny=false
hits=101, user_data=0x254e8d58, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=172.20.4.187, mask=255.255.255.255, port=23, dscp=0x0
input_ifc=outside, output_ifc=inside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Here is show xlate outuput
--------------------------------------
XXXX-ASA5550-CORP-INT-F03# sh xlate
3 in use, 114 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:172.20.4.187 23-23 to outside:78.100.72.220 23-23
flags sr idle 0:00:42 timeout 0:00:00
TCP PAT from inside:172.20.4.187 22-22 to outside:78.100.72.220 22-22
flags sr idle 0:13:03 timeout 0:00:00
So my questions again are:
why is the packet tracer failed even I can telent from outside to inside nated ip..?
why im not able to telnet from the same subnet of ASA outside interface, it shouldn't i considered as one of the outside IPs?.
Appreciate if some one can advise on this please.
thanks in advance
09-07-2011 02:03 PM
Hi,
We figured out the packet-tracer drop issue, that was actualy due to our destination IP address. We used the real ip instead of Nated IP.
However with the same static PAT I cant still telnet from a source as with the same subnet IP address.?.
object network ue
nat (inside,outside) static interface service tcp telnet telnet
** assume outside interface ip is 10.10.10.220 and I'm tring to telnet from a source ip as 10.10.10.218. If the ACL is allowed as "access-list outside extended permit ip any host 172.20.4.187" why can't I telnet with the source ip from the same subnet from outside interface ip address..?
thanks
01-14-2014 01:13 AM
Yes Its use of the NATTED (Translated) IP Address that does this, I had this very problem today.
Packet-Tracer Fails Phase 7 Subtype: rpf-check Result: DROP
Pete
01-14-2014 06:13 AM
Hi,
By default , you are not allowed to telnet the lowest security interface of ASA. That's the security feature of ASA.
- Prateek Verma
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: