cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17551
Views
0
Helpful
3
Replies

Subtype: rpf-check - drop on NAT ASA 8.4

pemasirid
Level 1
Level 1

Hi,

We have following static PAT configured on ASA (ver 8.4), we can telnet from outside to the nated local ip address, however when we do the packet-trace from outside interface it got drop at the NAT rule level (see bellow), however when we do the packet-trace from inside it allowed every steps. Also we cant telnet from one of the outside ip address which is in the same subnet of outside interface, however we can telnet from anywhere outside (from the internet).

below is the nat/acl configuraiton

--------------------------------------------

object network inside-net

nat (inside,outside) dynamic interface

object network inside-net2

nat (inside,outside) dynamic interface

object network ue

nat (inside,outside) static interface service tcp telnet telnet

object network ue-ssh

nat (inside,outside) static interface service tcp ssh ssh

!

access-list outside extended permit ip any host 172.20.4.187 log

Below is the packet-tracer output

---------------------------------------------

XXX-SA5550-CORP-INT-F03# packet-tracer input outside tcp 78.101.207.81 telnet 172.20.4.187 telnet detailed

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.20.4.184    255.255.255.248 inside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside in interface outside

access-list outside extended permit ip any host 172.20.4.187 log

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x242d17c8, priority=13, domain=permit, deny=false

        hits=140, user_data=0x1d9ef140, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=172.20.4.187, mask=255.255.255.255, port=0, dscp=0x0

        input_ifc=outside, output_ifc=any

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2485deb0, priority=0, domain=inspect-ip-options, deny=true

        hits=21884, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=outside, output_ifc=any

Phase: 4

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x24a6d280, priority=20, domain=lu, deny=false

        hits=139, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=outside, output_ifc=any

Phase: 5

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network ue

nat (inside,outside) static interface service tcp telnet telnet

Additional Information:

Forward Flow based lookup yields rule:

out id=0x242d87d0, priority=6, domain=nat-reverse, deny=false

        hits=101, user_data=0x254e8d58, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=172.20.4.187, mask=255.255.255.255, port=23, dscp=0x0

        input_ifc=outside, output_ifc=inside

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Here is show xlate outuput

--------------------------------------

XXXX-ASA5550-CORP-INT-F03# sh xlate

3 in use, 114 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

TCP PAT from inside:172.20.4.187 23-23 to outside:78.100.72.220 23-23

    flags sr idle 0:00:42 timeout 0:00:00

TCP PAT from inside:172.20.4.187 22-22 to outside:78.100.72.220 22-22

    flags sr idle 0:13:03 timeout 0:00:00

So my questions again are:

why is the packet tracer failed even I can telent from outside to inside nated ip..?

why im not able to telnet from the same subnet of ASA outside interface, it shouldn't i considered as one of the outside IPs?.

Appreciate if some one can advise on this please.

thanks in advance

3 Replies 3

pemasirid
Level 1
Level 1

Hi,

We figured out the packet-tracer drop issue, that was actualy due to our destination IP address. We used the real ip instead of Nated IP.

However with the same static PAT I cant still telnet from a source as with the same subnet IP address.?.

object network ue

nat (inside,outside) static interface service tcp telnet telnet

** assume outside interface ip is 10.10.10.220 and I'm tring to telnet from a source ip as 10.10.10.218. If the ACL is allowed as "access-list outside extended permit ip any host 172.20.4.187" why can't I telnet with the source ip from the same subnet from outside interface ip address..?

thanks

Peter Long
Level 1
Level 1

Yes Its use of the NATTED (Translated) IP Address that does this, I had this very problem today.

Packet-Tracer Fails Phase 7 Subtype: rpf-check Result: DROP

Pete

Hi,

By default , you are not allowed to telnet the lowest security interface of ASA. That's the security feature of ASA.

- Prateek Verma

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: