Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix Firewall NAT issue, NAT Exempt failed rpf

Hi Guys,

I am having an issue with static NAT on an old PIX.

I have a static in place from outside, inside correctly conifgured with an external host on the outside translated to an internal address on the inside.

static (inside,outside) 10.x.x.156 194.x.x.1 mask 255.255.255.255

The pix also has a nat 0 configured with an access-list on the inside and also a global catch all for everything else.

nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0

Currently traffic is not reaching the external host and when I perform a packet capture on the inside interface I see no traffic leaving (194.x.x.1), however i do see traffic arriving on the inside destined for the server (10.x.x.156)
 

When I run packet-tracer I get the following error;

NAT Exempt, rpf-error, Action -Drop.

I have tried adding the hosts to the no-nat rule...

Any ideas, I cant understand why the static does not take precedence, it is see as a translation first..

Thanks

Scott

 

 

 

2 REPLIES
Super Bronze

Hi, So you are saying that

Hi,

 

So you are saying that you are attempting to translate an external address to an internal address?

 

Then you got the interface names wrong on the "static" command

 

It should be

 

static (outside,inside) 10.x.x.156 194.x.x.1 mask 255.255.255.255

 

As the format basically is

 

static (realint,mappedint) <mapped ip> <real ip> netmask <mask>

 

So in your case the real source interface is "outside" and the mapped interface is the "inside" and the mapped IP address is the private IP address and the real IP address is the public IP address.

 

I am not sure if this corrects your problem yet. If you are using "packet-tracer" to test then you should see the traffic from "inside" match the "static" rune in a NAT Phase (UN-NAT) at the very start. It should also match a Dynamic PAT rule in a later NAT Phase.

 

- Jouni

 

 

Hi Scott, Your problem is

Hi Scott,

 

Your problem is this, please swap the IP addresses place in your nat.

static (inside,outside) 194.x.x.1 10.x.x.156 mask 255.255.255.255

Also make sure, that traffic destined to "194.x.x.1 10.x.x.156" not included for nat-exemption.

   

Let me know if this helps.

 

Thanks

Rizwan Rafeek

 

 

35
Views
0
Helpful
2
Replies