Denied due to NAT reverse path failure

seltser_michael · ‎01-07-2010

Hello list,

I was hoping someone could offer any suggestions on how to go about troubleshooting this particular issue further or maybe explain in details what this error message really means? Please note that this setup has been working all along and there isn't anything special that I believe has been implemented on the ASA to complicate the setup or for that fact break it.

Data path:

The basic scenario includes a Global-to-Local NAT on the ASA FW. The client initiates a tcp connection to a routable IP which is a one-to-one NAT from the outside-to-inside interfaces.

Here is the running-config:

access-list outside_access_in extended permit ip 10.24.14.0 255.255.255.0 host 10.84.14.121
static (inside,outside) 10.84.14.121 172.26.48.3 netmask 255.255.255.255

nat-control

nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip 172.26.48.0 255.255.255.0 10.24.14.0 255.255.255.0

FW# show xlate detail interface outside debug global 10.84.14.121

NAT from inside:172.26.48.3 to outside:10.84.14.121 flags s idle 0:19:23 timeout 0:00:00

Capturing traffic on the "outside" interface:

1: 04:45:57.481313 802.1Q vlan#111 P0 10.24.14.1.11919 > 10.84.14.121.30000: S 4092650306:4092650306(0) win 5840 <mss 1300,sackOK,timestamp 3923221967 0,nop,wscale 8,opt-33:1900145e8450f5070000>
2: 04:46:00.482122 802.1Q vlan#111 P0 10.24.14.1.11919 > 10.84.14.121.30000: S 4092650306:4092650306(0) win 5840 <mss 1300,sackOK,timestamp 3923224967 0,nop,wscale 8,opt-33:1900145e8450f5070000>

"show log" indicates:

<165>:Jan 07 21:14:10 UTC: %ASA-session-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.24.14.1/11919 dst inside:10.84.14.121/30000 denied due to NAT reverse path failure

Here is the "packet-tracer" output from the FW:

FW# packet-tracer input outside tcp 10.24.14.1 1024 10.84.14.121 30000 detailed

Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x1c4dbb78, priority=6, domain=nat-exempt-reverse, deny=false
    hits=75, user_data=0x1c371e68, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip=10.24.14.0, mask=255.255.255.0, port=0
    dst ip=172.26.0.0, mask=255.255.0.0, port=0, dscp=0x0

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

bagga_ajeet · ‎01-08-2010

Normal behavior: DNAT comes in. Return traffic is supposed to do SNAT out.

In this case, NAT exempt is explicitly denying the reverse SNAT when going back out.

This causes the ASA to DNAT coming in, but it doesn't SNAT when leaving.

Kureli Sankar · ‎01-08-2010

I believe you need the following:

access-list inside_nat0_outbound line 1 deny ip host 172.26.48.3 host 10.24.14.1

Either the above or the host on the outside should talk to the inside host using its private address (172.26.48.3) and not the translated address.

-KS

bagga_ajeet · ‎01-08-2010

If the host 172.26.48.3, or the parent network, isn't in the NAT exempt allow, it is implicitly denied. Only if the aggregate network is in the exempt, would you explicitly need to deny it serially ahead of the allow.

Sadly, ASA doesn't seem to have a notion of state associated with NATs where assumed SNAT on reverse for a static DNAT forward, overrides exempt on the return.

I'd scream RFE to Cisco, unless the enhancement further breeds sloppiness.

fadlouni · ‎12-10-2010

Hi.

About statefullness of NAT, this was there in older ASA images, i think somehwere in 8.2 this got broken. but after CSCth72642 NAT is statefullness is fixed.

Regards,

Fadi.

Maykol Rojas · ‎01-29-2011

Hello,

Totally Agree with Sankar, you are hitting one Nat statement (the static) and then in the return, as per the NAT order of operations, it wont use the Existing Xlate, it will use the NAT 0 statement

Try the workaround from Sankar, it will work for your problem.

Cheers

Mike

hibbert.miller · ‎03-21-2011

Hello,

I have posted on this thread as I am having the exact same problem, but have not been able to resolve it by following the suggestions provided. I should point out that I have limited experience with this gear, so please bear with me.

I have established a VPN between two ASA 5520 units, one of which has a public IP address on the outside interface and the other is behind a DSL modem that has a public IP on the outside, but has a 192.168.2.1 address on the inside, which gives my second ASA a 192.168.2.2 address on it's outside interface.

The inside networks of each ASA are 192.168.49.0 and 192.168.6.0. Each end can successfully connect to other systems on the Internet, but the issue of using remote desktop on from the inside to the inside is where I am getting the dreaded "Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.6.100/61013 dst inside:192.168.49.100/3389 denied due to NAT reverse path failure" message. Note that the ASA with the 192.168.6.0 network is fine when connecting to several ASA's with 192.168.X.0 networks on the inside, and it is only this one that is causing issue for me, so I don't think I need to change the configuration on it.

I believe I understand why it is happening based on the explanations provided; when the packets try to go back to the 192.168.6.0 network, my rule that says anything going over the tunnel should be exempt from NAT, so they end up lost in the 192.168.2.0 network between the ASA and the DSL modem. As stated above, I can see that the IPSec tunnel is successfully established, so I really just need to figure out what is happening with the NAT.

Further complicating matters is the fact that I do not have CLI access to the ASA, and must use the ASDM. I have copied the lines that I believe are relevant from the config.

access-list inside_access_in extended permit ip any object 192.168.6.0
access-list outside_access_in extended permit ip object-group 192.168.6.0 any

access-list outside_1_cryptomap extended permit ip 192.168.49.0 255.255.255.0 192.168.6.0 255.255.255.0
nat (inside,outside) source static 192.168.49.0 destination static 192.168.6.0

(Clue? I noticed that the translate/untranslate hits are 0 for this)

Any help gratly appreciated,

Hib

spkmparab124 · ‎11-11-2014

KS : You are awesome as always!!! keep up the good work!!

Network Team - LCC · ‎12-02-2014

Hi

we came across the same error message of Asymmetric Nat deny rules.

to resolve this I added a new NAT rule in the ASDM GUI, above the default NAT which sends all traffic out on the outbound interface IP. the rule was as shown below.

hope this helps people out.

Carl.

Neil Preeper · ‎02-03-2016

Worked like a charm! thank you sir !

robertramsey · ‎09-19-2016

This helped me also! - Thanks