03-19-2013 02:17 AM - edited 03-11-2019 06:16 PM
Hi,
Since a day ago or so I managed to somehow break all my forwarded ports. The error is "rpf-check", as if the packet would take a different way out but I fail to see how that could be the case. Can anyone share som insight in this?
# my ext-ip and internal server
object network someserver
host 10.0.0.240
object network ext-ip
host 201.201.28.20
# destination nat 8080 on ext-ip to someservers 8080, tcp.
object network someserver
nat (inside,outside) static ext-ip service tcp 8080 8080
nat (inside,outside) after-auto source dynamic any ext-ip
# Make sure it's first of the ACLs for debugging when ingressing "outside" interface (have no idea how hitcnt=1, I keep testing repeatedly from an external host but the counter doesn't increment)
access-list outside_access_in line 1 extended permit tcp any object someserver object-group DM_INLINE_TCP_2 log disable 0xaf785b68
access-list outside_access_in line 1 extended permit tcp any host 10.0.0.240 eq www log disable (hitcnt=0) 0xbfcabb69
access-list outside_access_in line 1 extended permit tcp any host 10.0.0.240 eq 8080 log disable (hitcnt=1) 0x8c1c69ed
# Make sure it's first of the ACLs for debugging when egressing "inside" interface
access-list inside_access_out line 1 extended permit tcp any host 10.0.0.240 object-group DM_INLINE_TCP_5 0xf82e5cf9
access-list inside_access_out line 1 extended permit tcp any host 10.0.0.240 eq www (hitcnt=0) 0x53d6c9d3
access-list inside_access_out line 1 extended permit tcp any host 10.0.0.240 eq 8080 (hitcnt=0) 0x09b88225
# show run nat show no hits
1 (inside) to (ownit) source static skotertech mobenga-ownit-ext-ip service tcp 8080 8080
translate_hits = 0, untranslate_hits = 0
# a packet-tracer claims it's allowed, but rpf-check fails. Verified on "someserver" using tcpdump that no packets ever reach it
asa# packet-tracer input outside tcp 5.6.129.90 50565 10.0.0.240 8080 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9eb6d70, priority=1, domain=permit, deny=false
hits=23728394646, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object someserver object-group DM_INLINE_TCP_2 log disable
object-group service DM_INLINE_TCP_2 tcp
group-object http
port-object eq 8080
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca788920, priority=13, domain=permit, deny=false
hits=1, user_data=0xc7d9dcb0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=10.0.0.240, mask=255.255.255.255, port=8080, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9eb94d0, priority=0, domain=inspect-ip-options, deny=true
hits=526056144, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9f4a2a0, priority=20, domain=lu, deny=false
hits=31373932, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xccdb1760, priority=18, domain=flow-export, deny=false
hits=16814247, user_data=0xcbc65ed8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xca5e1990, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=82465316, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_out out interface inside
access-list inside_access_out extended permit tcp any host 10.0.0.240 object-group DM_INLINE_TCP_5
object-group service DM_INLINE_TCP_5 tcp
group-object http
port-object eq 8080
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcc043d10, priority=13, domain=permit, deny=false
hits=1, user_data=0xc7d9d1c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=10.0.0.240, mask=255.255.255.255, port=8080, dscp=0x0
input_ifc=any, output_ifc=inside
Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network someserver
nat (inside,outside) static ext-ip service tcp 8080 8080
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcc1e3190, priority=6, domain=nat-reverse, deny=false
hits=3, user_data=0xcc77b7c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=10.0.0.240, mask=255.255.255.255, port=8080, dscp=0x0
input_ifc=outside, output_ifc=inside
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Solved! Go to Solution.