Denied due to NAT reverse path failure

Unanswered Question
Jan 7th, 2010
User Badges:

Hello list,


I was hoping someone could offer any suggestions on how to go about troubleshooting this particular issue further or maybe explain in details what this error message really means?  Please note that this setup has been working all along and there isn't anything special that I believe has been implemented on the ASA to complicate the setup or for that fact break it.


Data path:


The basic scenario includes a Global-to-Local NAT on the ASA FW.  The client initiates a tcp connection to a routable IP which is a one-to-one NAT from the outside-to-inside interfaces.


Here is the running-config:


access-list outside_access_in extended permit ip 10.24.14.0 255.255.255.0 host 10.84.14.121
static (inside,outside) 10.84.14.121 172.26.48.3 netmask 255.255.255.255

nat-control

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip 172.26.48.0 255.255.255.0 10.24.14.0 255.255.255.0


FW# show xlate detail interface outside debug global 10.84.14.121

NAT from inside:172.26.48.3  to outside:10.84.14.121 flags s idle 0:19:23 timeout 0:00:00


Capturing traffic on the "outside" interface:


1: 04:45:57.481313 802.1Q vlan#111 P0 10.24.14.1.11919 > 10.84.14.121.30000: S 4092650306:4092650306(0) win 5840 <mss 1300,sackOK,timestamp 3923221967 0,nop,wscale 8,opt-33:1900145e8450f5070000>
   2: 04:46:00.482122 802.1Q vlan#111 P0 10.24.14.1.11919 > 10.84.14.121.30000: S 4092650306:4092650306(0) win 5840 <mss 1300,sackOK,timestamp 3923224967 0,nop,wscale 8,opt-33:1900145e8450f5070000>


"show log" indicates:


<165>:Jan 07 21:14:10 UTC: %ASA-session-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.24.14.1/11919 dst inside:10.84.14.121/30000 denied due to NAT reverse path failure


Here is the "packet-tracer" output from the FW:


FW#  packet-tracer input outside tcp 10.24.14.1 1024 10.84.14.121 30000 detailed


Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x1c4dbb78, priority=6, domain=nat-exempt-reverse, deny=false
    hits=75, user_data=0x1c371e68, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip=10.24.14.0, mask=255.255.255.0, port=0
    dst ip=172.26.0.0, mask=255.255.0.0, port=0, dscp=0x0


Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
Kureli Sankar Fri, 01/08/2010 - 05:34
User Badges:
  • Cisco Employee,

I believe you need the following:


access-list inside_nat0_outbound line 1 deny ip host 172.26.48.3 host 10.24.14.1


Either the above or the host on the outside should talk to the inside host using its private address (172.26.48.3) and not the translated address.


-KS

If the host 172.26.48.3, or the parent network, isn't in the NAT exempt allow, it is implicitly denied. Only if the aggregate network is in the exempt, would you explicitly need to deny it serially ahead of the allow.


Sadly, ASA doesn't seem to have a notion of state associated with NATs where assumed SNAT on reverse for a static DNAT forward, overrides exempt on the return.


I'd scream RFE to Cisco, unless the enhancement further breeds sloppiness.

fadlouni Fri, 12/10/2010 - 06:15
User Badges:
  • Bronze, 100 points or more

Hi.


About statefullness of NAT, this was there in older ASA images, i think somehwere in 8.2 this got broken. but after CSCth72642 NAT is statefullness is fixed.


Regards,

Fadi.

Maykol Rojas Sat, 01/29/2011 - 21:17
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015

Hello,


Totally Agree with Sankar, you are hitting one Nat statement (the static) and then in the return, as per the NAT order of operations, it wont use the Existing Xlate, it will use the NAT 0 statement


Try the workaround from Sankar, it will work for your problem.


Cheers


Mike

hibbert.miller Mon, 03/21/2011 - 05:55
User Badges:


Hello,

I have posted on this thread as I am having the exact same problem, but have not been able to resolve it by following the suggestions provided. I should point out that I have limited experience with this gear, so please bear with me.


I have established a VPN between two ASA 5520 units, one of which has a public IP address on the outside interface and the other is behind a DSL modem that has a public IP on the outside, but has a 192.168.2.1 address on the inside, which gives my second ASA a 192.168.2.2 address on it's outside interface.


The inside networks of each ASA are 192.168.49.0 and 192.168.6.0. Each end can successfully connect to other systems on the Internet, but the issue of using remote desktop on from the inside to the inside is where I am getting the dreaded "Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.6.100/61013 dst inside:192.168.49.100/3389 denied due to NAT reverse path failure" message. Note that the ASA with the 192.168.6.0 network is fine when connecting to several ASA's with 192.168.X.0 networks on the inside, and it is only this one that is causing issue for me, so I don't think I need to change the configuration on it.


I believe I understand why it is happening based on the explanations provided; when the packets try to go back to the 192.168.6.0 network, my rule that says anything going over the tunnel should be exempt from NAT, so they end up lost in the 192.168.2.0 network between the ASA and the DSL modem. As stated above, I can see that the IPSec tunnel is successfully established, so I really just need to figure out what is happening with the NAT.


Further complicating matters is the fact that I do not have CLI access to the ASA, and must use the ASDM. I have copied the lines that I believe are relevant from the config.



access-list inside_access_in extended permit ip any object 192.168.6.0
access-list outside_access_in extended permit ip object-group 192.168.6.0 any



access-list outside_1_cryptomap extended permit ip 192.168.49.0 255.255.255.0 192.168.6.0 255.255.255.0
nat (inside,outside) source static 192.168.49.0 destination static 192.168.6.0


(Clue? I noticed that the translate/untranslate hits are 0 for this)


Any help gratly appreciated,


Hib

Michael Thwaite Tue, 12/02/2014 - 07:57
User Badges:

Hi

 

we came across the same error message of Asymmetric Nat deny rules.

 

to resolve this I added a new NAT rule in the ASDM GUI, above the default NAT which sends all traffic out on the outbound interface IP. the rule was as shown below.

 


 

hope this helps people out.

 

Carl.

 

 

 

 

Actions

This Discussion