Apologies if it wasn't very well explained.

We are a school that is on a city council network and recently changed providers, however our current internal IP scope clashed with another school so we had to have the ASA installed to work as a NAT.

Our admin team use a system where they login to a virtual desktop which used to send a print to the IP of 172.29.8.20 which went directly to our printer however due to moving providers the printer now sends to the IP of 10.100.1.20, the ASA is blocking this coming through (We've tested without the ASA) so we need it to translate that 10.100 IP and give it a route to 172.29 however on the packet trace we are getting the

rpf check dropped acl-drop flow is denied by configured rule vpn on the outside test and an rpf-violation - reverse route verification failed on an inside test.

Hopefully that explains it better.

Many thanks

Can you post the packet tracer or run it through CLI

Value our effort and rate the assistance!

Here is the packet trace.

TSTC-FW(config)# packet-tracer input outside tcp 10.100.104.20 9100 172.29.8.2$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.29.8.0      255.255.248.0   inside

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.100.104.0    255.255.248.0   outside

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any host 172.29.8.20 eq 9100

access-list outside_access_in remark Form Pearson Exam Software

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network TSTC-Printing

nat (inside,outside) static 10.100.104.20 service tcp 9100 9100

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Many thanks

object network TSTC-Printing

nat (inside,outside) static 10.100.104.20 service tcp 9100 9100

The packet tracer indicated that you are coming from 10.100.104.20 to 172.29.8.20 9100 but it seems that you mapped it on the ASA to object TSTC-Printing.

Question here is, are you running the packet tracer correctly or should that NAT not be in place.

Baed on your notes:

Our admin team use a system where they login to a virtual desktop which used to send a print to the IP of 172.29.8.20 which went directly to our printer however due to moving providers the printer now sends to the IP of 10.100.1.20, the ASA is blocking this coming through (We've tested without the ASA) so we need it to translate that 10.100 IP and give it a route to 172.29

I will explain what you are posting on the packet tracer

packet-tracer input outside tcp 10.100.104.20 9100 172.29.8.20 9100

Your an IP that resides on the outside that is 10.100.104.20 and you want to connect to 172.29.8.20 on TCP port 9100

I think it is incorrect but you tell me, are connections really coming into the ASA from 10.100.104.20 to 172.29.8.20????

Value our effort and rate the assistance!

Unfortunately that NAT was setup by the people who installed the ASA so im not 100% sure on it

Basically that printer on the virtual desktop prints to the ip of 100.100.104.20 which is one of the assigned IPs given to our ASA (i believe we have 104.1-104.20). I need the ASA to translate that request to a printer that has an internal IP on our network of 172.29.8.20.

Many thanks for your help.

Then it seems that you are running the packet tracer incorrectly,

Try for example any other IP that is not the 10.100.104.20 as source, example:

packet-tracer input outside tcp 10.100.104.10 9100 172.29.8.20 9100

Let me know the result and post please.

Value our effort and rate the assistance!

Just tried with a different IP with the 172.29 being the destination and it came up with the same error. Is the NAT possibly set up incorrectly?

Many thanks

Sorry my bad, it´s like this:

packet-tracer input outside tcp 10.100.104.10 9100 10.100.104.20 9100

Value our effort and rate the assistance!

That trace worked fine, i only have access to the ASDM at the moment so can't copy the log but it passed the RPF and also another set of ip options look up and flow creation.

So how would i go about creating a NAT so that the print job sent to 10.100.104.20 gets forwarded onto 172.29.8.20? These are print jobs on port 9100.

Many thanks

That is the point, it is already created, the issue is that you were running the packet tracer incorrectly

If you want we can talk over skype: juanmh84 that is my ID, or when I get to work you can call my number, I get in around 40 min

Value our effort and rate the assistance!

After talking this over, it seems that your PCs are local to the printer but the login page point to the translated IP of 10.100.104.20.

Here is the configuration:

TSTC-Printing_internal

host 172.29.8.20

TSTC-Printing_NAT_IP

host 10.100.104.20

nat (inside,inside) source dynamic any interface destination static TSTC-Printing_NAT_IP TSTC-Printing_internal

Same-security-traffic permit intra-interface

If you need anything else please let me know.

Value our effort and rate the assistance!

If the traffic is coming from the outside you can configure the same line just define outside.

nat (outside,inside) 1 source dynamic any interface destination static TSTC-Printing_NAT_IP TSTC-Printing_internal

Value our effort and rate the assistance!