06-18-2019 02:15 PM - edited 02-21-2020 09:40 PM
So I have a subnet/object let's say:
obj_10.10.10.0 255.255.255.0
nat (any,outside) dynamic interface
Seems having issue from Outside accessing it.
My ACL for Outside permits the the source to the obj_10.10.10.0
Packet-tracer is failing at "RPF-CHeck Action Drop".
What must I change?
06-18-2019 02:35 PM
Hi
Is this answered here -
https://community.cisco.com/t5/firewalls/access-to-dmz-rpf-check-drop/td-p/2281668
06-18-2019 05:50 PM
I am not even sure. I don't know if it just fails in packet-tracer because I am using the Real IP destination address of INSIDE hosts given that subnet is NATTED.
Also, I need that entire subnet to be accessed via many different ports so I don't think doing the NAT statement not under the object would do the trick.
06-18-2019 09:25 PM
Hi,
Let me first explain what does nat (any,outside) dynamic interface means for object obj_10.10.10.0 255.255.255.0
looking at the flow defined by the nat rule "nat (any,outside)" this means that any traffic coming from any interface going towards outside interface will be patted (Port Address Translation) to the interface IP of the outside interface.
PAT because of its nature is unidirectional flow meanining the above statement is pretty strict about the flow (any,outside) when you initiate the traffic from outside the flow would be something like (outside,any) .
I understand so far that you want a static nat or a static pat(port redirection)
refer to this document
Or you can mention your specification I can help you to design a nat rule
Thanks
Shakti
06-18-2019 09:26 PM - edited 06-18-2019 09:27 PM
06-19-2019 05:10 AM
Hi thanks!
I am not sure what you mean by "Everyone tags"?
I just need multiple Outside subnets to be able to communicate with that internal 10.10.10.0_object. I am not sure if the problem is the FW. Given the current dynamic PAT statment I referenced, Outside subnets should be allowed to hit it as long as their is an Outside rule permitting to the real 10.10.10.0_object correct?
06-19-2019 06:00 AM
hi,
With the current nat 10.10.10.0_object will be patted to the interface address of the outside interface when going outside.
Thanks
Shakti
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide