Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
282
Views
0
Helpful
2
Replies

Pix Firewall NAT issue, NAT Exempt failed rpf

scott-goodwin
Level 1
Level 1

‎10-06-2014 03:27 AM - edited ‎03-11-2019 09:52 PM

Hi Guys,

I am having an issue with static NAT on an old PIX.

I have a static in place from outside, inside correctly conifgured with an external host on the outside translated to an internal address on the inside.

static (inside,outside) 10.x.x.156 194.x.x.1 mask 255.255.255.255

The pix also has a nat 0 configured with an access-list on the inside and also a global catch all for everything else.

nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0

Currently traffic is not reaching the external host and when I perform a packet capture on the inside interface I see no traffic leaving (194.x.x.1), however i do see traffic arriving on the inside destined for the server (10.x.x.156)
 

When I run packet-tracer I get the following error;

NAT Exempt, rpf-error, Action -Drop.

I have tried adding the hosts to the no-nat rule...

Any ideas, I cant understand why the static does not take precedence, it is see as a translation first..

Thanks

Scott

 

 

 

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎10-06-2014 03:55 AM

Hi,

 

So you are saying that you are attempting to translate an external address to an internal address?

 

Then you got the interface names wrong on the "static" command

 

It should be

 

static (outside,inside) 10.x.x.156 194.x.x.1 mask 255.255.255.255

 

As the format basically is

 

static (realint,mappedint) <mapped ip> <real ip> netmask <mask>

 

So in your case the real source interface is "outside" and the mapped interface is the "inside" and the mapped IP address is the private IP address and the real IP address is the public IP address.

 

I am not sure if this corrects your problem yet. If you are using "packet-tracer" to test then you should see the traffic from "inside" match the "static" rune in a NAT Phase (UN-NAT) at the very start. It should also match a Dynamic PAT rule in a later NAT Phase.

 

- Jouni

 

 

0 Helpful

rizwanr74
Level 7
Level 7

‎10-06-2014 01:50 PM

Hi Scott,

 

Your problem is this, please swap the IP addresses place in your nat.

static (inside,outside) 194.x.x.1 10.x.x.156 mask 255.255.255.255

Also make sure, that traffic destined to "194.x.x.1 10.x.x.156" not included for nat-exemption.

   

Let me know if this helps.

 

Thanks

Rizwan Rafeek

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card