Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1038
Views
0
Helpful
4
Replies

asymmetric nat?

pauloroque
Level 1
Level 1

‎11-04-2009 01:02 PM - edited ‎03-11-2019 09:36 AM

Hi All.

I have this problem. I manage a remote datacenter network from an ASA outside interface.

The same host must be accessed from outside by customers by its natted IP address (200.x.x.1) and, at same time, by staff by its real ip (10.x.x.1) “AND” by its natted address. Until now no problem, I thought. I created a static nat and a nat exemption this way (10.x.50.0/24 is the staff network):

access-list NO-NAT extended permit ip host 10.x.2.1 10.x.50.0 255.255.255.0

nat (dmz) 0 access-list NO-NAT tcp 0 0 udp 0

static (dmz,outside) 200.x.x.1 10.x.x.1 netmask 255.255.255.255

But this way the machine can be accessed by its natted IP address by anyone, including staff. But it cannot be accessed by its real ip address. ASA 8.2 gives the following error message:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection protocol src xxxx/kk dest yyyy/jj denied due to NAT reverse path failure.

Is there any way to access a host using BOTH natted AND real IP address? Routers don't seem to bother with this.

Paulo Roque

Labels:
0 Helpful
4 Replies 4

sdoremus33
Level 3
Level 3

‎11-04-2009 05:42 PM

You can have a look at this document which describes NAT order of operations.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

0 Helpful

sdoremus33
Level 3
Level 3
In response to sdoremus33

‎11-04-2009 05:52 PM

Is there any way to access a host using BOTH natted AND real IP address

If there is I am also curious if this is possible.

0 Helpful

cmcbride
Level 1
Level 1

‎11-06-2009 01:06 PM

One possible solution is for the host to have 2 IP addresses. One is NATed to and the other is the 'real' IP.

Another solution might be to utilize an access-list with a static NAT. I'm not sure that this would work in your case though.

access-list NAT-acl extended permit ip host 10.x.2.1 10.x.50.0 255.255.255.0

static (dmz,outside) 10.x.x.1 access-list NAT-acl

static (dmz,outside) 200.x.x.1 10.x.x.1 netmask 255.255.255.255

Like I said, that may not work though.

0 Helpful

pauloroque
Level 1
Level 1
In response to cmcbride

‎11-07-2009 06:29 AM

cmcbrife,

I tried like you said. But it did not work. The problem is that when I ping the address 200.x.x.1, in the inbound direction the echo-request packet gets translated by the second rule, but the echo-reply in the opposite direction was translated by first rule Again asymmetric NAT.

Thx

Paulo Roque

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card