Network technologies and trends

Jan 16 2017   12:27PM GMT

What is the error “rpf-check Result: DROP” in Cisco ASA Packet-tracer?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Tags:
Access List
ASA
Cisco
firewall
NAT

When it comes to troubleshooting with Cisco ASA Firewalls one usually rely on packet-tracer options. However NAT configuration and the way how ACL configured changes from version 8.4. Rather than configuring the ACL for a public IP, a private IP address is used as shown below

access-list OUTSIDE extended permit tcp host 222.222.222.222  host 192.168.1.50 eq 443

fig-1-1-asa-rpf-check

 

From the above scenario one could see the Inter Web Server with an IP Address 192.168.1.50 is natted to public IP 111.111.111.111.

Those who comes from strong exposure to ASA version 8.3 they issue the packet-tracer command with the IP addresses used in the ACL. However this never works and the traffic will be dropped with an error  “rpf-check Result: DROP”. This is because the UN-NAT must be equal to NAT RPF-CHECK for the packet to be passed (otherwise it will be dropped).

IKTE-ASA# packet-tracer input OUTSIDE tcp 222.222.222.222 443 192.168.1.50 443

<——-Output removed——–>

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network obj-192.168.1.50

nat (DMZ,OUTSIDE) static obj-111.111.111.111

Additional Information:

 

Result:

input-interface: OUTSIDE

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

IKTE-ASA#

In this case (static NAT)  the correct way to use  packet-tracer is to use the public IP not the private IP

IKE-ASA# packet-tracer input OUTSIDE  tcp 222.222.222.222 443 111.111.111.111 443

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (DMZ,OUTSIDE) source static obj-192.168.1.50 obj-111.111.111.111

Additional Information:

NAT divert to egress interface DMZ

Untranslate 111.111.111.111/443 to 192.168.1.50/443

 

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group OUTSIDE in interface OUTSIDE
access-list OUTSIDE extended permit tcp host 222.222.222.222  host 192.168.1.50 eq 443

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (DMZ,OUTSIDE) source static obj-192.168.1.50 obj-111.111.111.111

Additional Information:

Static translate 222.222.222.222/443 to 222.222.222.222/443

 

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 6

Type: SFR

Subtype:

Result: ALLOW

Config:

class-map SFR

match access-list SFR

policy-map global_policy

class SFR

sfr fail-open

service-policy global_policy global

Additional Information:

 

Phase: 7

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

 

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (DMZ,OUTSIDE) source static obj-192.168.1.50 obj-111.111.111.111

Additional Information:

 

Phase: 9

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

 

Phase: 10

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 11

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 12

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

 

Phase: 13

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 333770611, packet dispatched to next module

 

Result:

input-interface: OUTSIDE

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: allow

 

ITKE-ASA#

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: