Packet-Tracer Fails Subtype: rpf-check Result: DROP

KB ID 000904 Dtd 14/01/13

Problem

I love packet-tracer, I use it a lot, especially when I’ve been told that the firewall I’ve installed is stopping a particular port. I had set up a simple port forward the other day, and when I went to check it with packet-tracer this happened.

Petes-ASA# packet-tracer input outside tcp 123.123.123.123 443 192.168.1.10 443

<——-Output removed——–>

Phase: 7 Type: NAT Subtype: rpf-check Result: DROP Config: object network Web-Server-INT nat (inside,outside) static Web-Server-EXT Additional Information:

<——-Output removed——–>

Solution

This happens because the packet-tracer command is expecting to see the address that exists on the outside interface. So it’s the opposite way round to the way you would write an ACL. (Unless you are an old school Cisco tech, then it’s the same way we used to write ACL’s (before version 8.3)).

So, as I’m port forwarding the port that I’m tracing (tcp port 443 or https if you prefer) from the outside interface (100.100.100.100), that’s the IP address I should be using.

Note: If you are testing a static translation, then you would use the public IP for testing inbound traffic.

Petes-ASA# packet-tracer input outside tcp 123.123.123.123 443 100.100.100.100 443

Phase: 1 Type: UN-NAT Subtype: static Result: ALLOW Config: object network Web-Server-INT nat (inside,outside) static Web-Server-EXT Additional Information: NAT divert to egress interface inside Untranslate Web-Server-EXT/443 to Web-Server-INT/443

Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inbound in interface outside access-list inbound extended permit tcp any4 object Web-Server-INT eq https Additional Information:

Phase: 3 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information:

Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information:

Phase: 5 Type: Subtype: Result: ALLOW Config: Additional Information:

Phase: 6 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information:

Phase: 7 Type: NAT Subtype: rpf-check Result: ALLOW Config: object network Web-Server-INT nat (inside,outside) static Web-Server-EXT Additional Information:

Phase: 8 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information:

Phase: 9 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information:

Phase: 10 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 5844584, packet dispatched to next module

Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow

Do the same from the ADSM

As you can see below, the same thing happens if you use the graphical Packet Tracer in the ASDM

Packet Tracer rpf-check Fails

Packet Tracer Inbound Packet Works

Related Articles, References, Credits, or External Links

NA

Author: Migrated

Share This Post On