Solved

asa 5505 nat rpf-check DROP

Posted on 2010-09-05
4
7,219 Views
Last Modified: 2012-08-13
Experts, see attached file of my asa config. It is a simple config.
I have an ipsec vpn tunnel established.

Encryption domain:
Local:192.168.3.0 255.255.255.0
Remote:10.75.100.0 255.255.255.0

The tunnel works and my users are able to RDP to 10.75.100.240. They have a preconfigured RDP icon with this IP.
The problem is I need to set their RDP icon to point to IP 19.39.160.240 (there is a specific reason for this not mentioned) without touching the VPN tunnel.
 
I can accomplish this by adding:
static (outside,inside) 19.39.160.240 10.75.100.240 netmask 255.255.255.255

After adding the NAT, I can point their RDP icon to 19.39.160.240 and it works fine. However, when I try to go to RDP to the real IP 10.75.100.240, it doesnt work anymore.

A packet tracer: packet-tracer input inside tcp 192.168.3.24 10000 10.75.100.240 3389 detailed

Phase: 10
Type: NAT
Subtype: rpf-check
Result: DROP
 
When I remove the static NAT, i'm able to RDP to it using 10.75.100.240 again. I'm curious as to why I can't rdp to 10.75.100.240 when the static NAT is in place. I would like the users to have the ability to reach both IPs so that I can put in the static NAT and take my time to repoint the RDP icons one at a time.
Even with the NAT in place, when they go to 10.75.100.240, it should hit the ACL inside_nat0_outbound and go out fine right?
Is traffic going out, but not able to come back?
 

asaEE.txt
0
Comment
Question by:trojan81
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 4

Expert Comment

by:ullas_unni
ID: 33612484
hi trojan 81,

the rpf drop you are getting should be due to the static (outside,inside) 19.39.160.240 10.75.100.240 netmask 255.255.255.255....the outgoing traffic is getting nat exempted by ACL inside_nat0_outbound but the return traffic must be hitting the static.

to clarify this can you please attach the output of your packet-tracer.

if that is the case then you might need to do a nat exempt on the outside interface for the return traffic ie from your remote pvt ip.
0
 

Author Comment

by:trojan81
ID: 33615030
Ullas,

I think you are on the right track. Attached is the packet trace showing it working when I RDP to the NAT IP, and not working when I RDP to the real IP.
Is it even possible that both the NAT IP and the REAL IP still work simultaneously?

trace-working.txt
trace-notworking.txt
0
 
LVL 4

Accepted Solution

by:
ullas_unni earned 500 total points
ID: 33615727
trojan81,

have a look at this.. this is rpf drop part of your packet tracer output... it shows that the return traffic is hitting the static.. so it makes sense..

Phase: 10
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (outside,inside) 19.39.160.240 10.75.100.240 netmask 255.255.255.255
  match ip outside host 10.75.100.240 inside any
    static translation to 19.39.160.240
    translate_hits = 0, untranslate_hits = 2
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xca4c4c90, priority=5, domain=nat-reverse, deny=false
        hits=6, user_data=0xc987abe0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.75.100.240, mask=255.255.255.255, port=0, dscp=0x0

i can think of one way of achieving your requirement of accessing on both pvt and public ip.. try adding this with the static in place:

access-list reverse_nat_exempt permit ip host 10.75.100.240 192.168.3.0 255.255.255.0 nat (outside) 0 access-list reverse_nat_exempt outside

the above statements will nat exempt the return traffic when you are trying to access the server via pvt ip.. since nat exempt hits before the static the rpf-check should be fine.

so you should be able to access the server on both pvt and public ip.
0
 

Author Comment

by:trojan81
ID: 33668886
ullas,

That suggestion did not work. When I attempted to use the public IP it failed RPF check. I will award you the points since I went ahead and made the cut over night so I could make all changes without downtime.
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

689 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question