Hello, Having some trouble with an rpf-check on an ASA when doing pat to an internal web server.
I have static nat working: network object laptop host 192.168.75.208 network object internet-75 host 100.1.1.75 nat (inside,outside) after-auto source dynamic laptop internet-75 No problems here, the client device gets out to the internet using the correct ip address. Now when I do this: network object laptop-pat host 192.168.75.208 object network laptop-pat nat (inside,outside) static internet-75 service tcp www 81 it adds this entry above the static nat entry and everything appears to look correct. The problem is when I do a packet-trace it shows this: fw# packet-tracer input outside tcp 222.222.222.222 1080 192.168.75.208 81 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside_access_in in interface outside access-list outside_access_in extended permit object http-81 any object laptop-pat Phase: 8 Type: NAT Subtype: rpf-check Result: DROP Config: nat (inside,outside) after-auto source dynamic laptop internet-75 Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule For some reason it is not picking up the auto-nat entry for the secondary object I created with the same host name (laptop-pat) Any ideas why the firewall is always stopping at phase 8 with the rpf-check error? If so what do I need to do to fix this? Is there an easier or "right" way to do pat on this device? Thanks, Dan. 5520 - version 8.4 _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/