[c-nsp] ASA NAT/PAT rpf-check
Dan Letkeman
danletkeman at gmail.com
Sun Feb 12 14:01:42 EST 2012
Hello,
Having some trouble with an rpf-check on an ASA when doing pat to an
internal web server.
I have static nat working:
network object laptop
host 192.168.75.208
network object internet-75
host 100.1.1.75
nat (inside,outside) after-auto source dynamic laptop internet-75
No problems here, the client device gets out to the internet using the
correct ip address.
Now when I do this:
network object laptop-pat
host 192.168.75.208
object network laptop-pat
nat (inside,outside) static internet-75 service tcp www 81
it adds this entry above the static nat entry and everything appears
to look correct. The problem is when I do a packet-trace it shows
this:
fw# packet-tracer input outside tcp 222.222.222.222 1080 192.168.75.208 81
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object http-81 any
object laptop-pat
Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) after-auto source dynamic laptop internet-75
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
For some reason it is not picking up the auto-nat entry for the
secondary object I created with the same host name (laptop-pat)
Any ideas why the firewall is always stopping at phase 8 with the
rpf-check error? If so what do I need to do to fix this?
Is there an easier or "right" way to do pat on this device?
Thanks,
Dan.
5520 - version 8.4
More information about the cisco-nsp
mailing list