NAT reverse path issue on ASA 8.3

Unanswered Question
Jul 21st, 2010
User Badges:

Tonight we upgraded our ASA from 8.2.2 to 8.3.1 and for the most part things are working ok but we are having some pretty significant issues related to nat exemption.  In our situation the remote vpn network is 10.100.100.0/24 and the internal network I am trying to reach could be 192.168.1.0/24 or 10.11.1.0/24.


The ASA is continuously spitting out error messages such as this:


Jul 21 2010 01:56:32: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.100.100.7 dst inside:192.168.1.18 (type 8, code 0) denied due to NAT reverse path failure


I have read other posts with any kind of resolution but some have suggested that I might essentially have duplicate entries for either the remote or internal networks.  I have posted my nat code below.  The P.P.P.x syntax would suggest a public IP address is being used...


Thanks for any help that can be provided.


nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.0.0.0 obj-10.0.0.0
nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0
nat (outside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-192.168.0.0 obj-192.168.0.0
nat (outside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.0.0.0 obj-10.0.0.0
nat (outside,dmz) source static obj-192.168.1.4 obj-192.168.20.1 destination static obj-P.P.P.23 obj-10.10.4.23
nat (dmz,outside) source dynamic obj-10.10.4.0 obj-192.168.25.2 destination static obj-192.168.20.1 obj-192.168.1.4
nat (inside,any) source static any any destination static obj-10.10.4.0 obj-10.10.4.0
nat (inside,any) source static any any destination static obj-10.100.100.0 obj-10.100.100.0
nat (inside,any) source static any any destination static DK-Chicago DK-Chicago
nat (inside,any) source static any any destination static obj-192.168.15.0 obj-192.168.15.0
nat (inside,any) source static any any destination static obj-10.10.20.0 obj-10.10.20.0
nat (inside,any) source static any any destination static obj-192.168.160.0 obj-192.168.160.0
nat (inside,any) source static any any destination static obj-192.168.16.0 obj-192.168.16.0
nat (inside,any) source static any any destination static obj-192.168.18.0 obj-192.168.18.0
nat (inside,any) source static any any destination static obj-172.30.254.0 obj-172.30.254.0
nat (inside,any) source static any any destination static obj-172.30.254.128 obj-172.30.254.128
nat (inside,any) source static any any destination static obj-10.16.0.0 obj-10.16.0.0
nat (inside,any) source static any any destination static obj-10.9.0.0 obj-10.9.0.0
nat (inside,any) source static any any destination static obj-10.2.0.0 obj-10.2.0.0
nat (inside,any) source static any any destination static obj-192.168.2.0 obj-192.168.2.0
nat (inside,any) source static any any destination static obj-192.168.200.0 obj-192.168.200.0
nat (inside,any) source static any any destination static obj-192.168.140.0 obj-192.168.140.0
nat (inside,any) source static dk-cryptoacl dk-cryptoacl destination static obj-10.0.0.0 obj-10.0.0.0
nat (inside,any) source static dk-cryptoacl dk-cryptoacl destination static PillarOakParkLAN-10.1.10.0 PillarOakParkLAN-10.1.10.0
nat (inside,outside) source dynamic obj-192.168.1.0 obj-192.168.25.1 destination static obj-192.168.20.1 obj-192.168.20.1
nat (dmz,outside) source static any any destination static obj-10.100.100.0 obj-10.100.100.0
nat (dmz,outside) source static any any destination static DK-Chicago DK-Chicago
nat (dmz,outside) source static any any destination static obj-192.168.18.0 obj-192.168.18.0
nat (dmz,outside) source static any any destination static obj-192.168.15.0 obj-192.168.15.0
nat (dmz,outside) source static any any destination static obj-10.10.20.0 obj-10.10.20.0
nat (dmz,outside) source static any any destination static obj-192.168.160.0 obj-192.168.160.0
nat (dmz,outside) source static any any destination static obj-192.168.16.0 obj-192.168.16.0
nat (dmz,outside) source static any any destination static obj-10.16.0.0 obj-10.16.0.0
nat (dmz,outside) source static any any destination static obj-10.9.0.0 obj-10.9.0.0
nat (dmz,outside) source static any any destination static obj-10.2.0.0 obj-10.2.0.0
nat (dmz,outside) source static any any destination static obj-192.168.140.0 obj-192.168.140.0
nat (dmz,outside) source static any any destination static PillarOakParkLAN-10.1.10.0 PillarOakParkLAN-10.1.10.0
nat (dmz,outside) source static any any destination static obj-10.0.0.0 obj-10.0.0.0
nat (dmz,dmz) source static any any destination static obj-10.100.100.0 obj-10.100.100.0
nat (dmz,dmz) source static any any destination static DK-Chicago DK-Chicago
nat (dmz,dmz) source static any any destination static obj-192.168.18.0 obj-192.168.18.0
nat (dmz,dmz) source static any any destination static obj-192.168.15.0 obj-192.168.15.0
nat (dmz,dmz) source static any any destination static obj-10.10.20.0 obj-10.10.20.0
nat (dmz,dmz) source static any any destination static obj-192.168.160.0 obj-192.168.160.0
nat (dmz,dmz) source static any any destination static obj-192.168.16.0 obj-192.168.16.0
nat (dmz,dmz) source static any any destination static obj-10.16.0.0 obj-10.16.0.0
nat (dmz,dmz) source static any any destination static obj-10.9.0.0 obj-10.9.0.0
nat (dmz,dmz) source static any any destination static obj-10.2.0.0 obj-10.2.0.0
nat (dmz,dmz) source static any any destination static obj-192.168.140.0 obj-192.168.140.0
nat (dmz,dmz) source static any any destination static PillarOakParkLAN-10.1.10.0 PillarOakParkLAN-10.1.10.0
nat (dmz,dmz) source static any any destination static obj-10.0.0.0 obj-10.0.0.0
nat (dmz,outside) source static obj-10.10.4.20 obj-P.P.P.20 dns
nat (dmz,outside) source static obj-10.10.4.21 obj-P.P.P.21 dns
nat (dmz,outside) source static obj-10.10.4.22 obj-P.P.P.22 dns
nat (dmz,outside) source static obj-10.10.4.24 obj-P.P.P.24 dns
nat (dmz,outside) source static obj-10.10.4.25 obj-P.P.P.25 dns
nat (dmz,outside) source static obj-10.10.4.26 obj-P.P.P.26 dns
nat (dmz,outside) source static obj-10.10.4.18 obj-P.P.P.28 dns
nat (dmz,outside) source static obj-10.10.4.30 obj-P.P.P.30 dns
nat (dmz,outside) source static obj-10.10.4.31 obj-P.P.P.31 dns
nat (dmz,outside) source static obj-10.10.4.32 obj-P.P.P.32 dns
nat (dmz,outside) source static obj-10.10.4.23 obj-P.P.P.23 dns
nat (dmz,outside) source dynamic obj-10.10.4.0 obj-192.168.25.2 destination static obj-192.168.20.1 obj-192.168.20.1
!
object network obj-192.168.1.4
nat (outside,inside) static 192.168.20.1
object network obj-192.168.1.18
nat (inside,outside) static P.P.P.18
object network obj-192.168.1.0
nat (inside,outside) dynamic P.P.P.100
object network obj-10.10.4.20
nat (dmz,outside) static P.P.P.20
object network obj-10.10.4.21
nat (dmz,outside) static P.P.P.21
object network obj-10.10.4.22
nat (dmz,outside) static P.P.P.22
object network obj-10.10.4.24
nat (dmz,outside) static P.P.P.24
object network obj-10.10.4.25
nat (dmz,outside) static P.P.P.25
object network obj-10.10.4.26
nat (dmz,outside) static P.P.P.26
object network obj-10.10.4.18
nat (dmz,outside) static P.P.P.28
object network obj-10.10.4.30
nat (dmz,outside) static P.P.P.30
object network obj-10.10.4.31
nat (dmz,outside) static P.P.P.31
object network obj-10.10.4.32
nat (dmz,outside) static P.P.P.32
object network obj-10.10.4.0
nat (dmz,outside) dynamic P.P.P.100
object network obj-192.168.1.4-01
nat (outside,dmz) static 192.168.20.1
object network obj-10.100.100.0
nat (outside,outside) dynamic P.P.P.100
object network obj-192.168.16.0
nat (inside,outside) dynamic P.P.P.100
object network obj-10.16.0.0
nat (inside,outside) dynamic P.P.P.100
object network obj-10.9.0.0
nat (inside,outside) dynamic P.P.P.100
object network obj-10.2.0.0
nat (inside,outside) dynamic P.P.P.100
object network obj-192.168.2.0
nat (inside,outside) dynamic P.P.P.100
object network obj-192.168.200.1
nat (inside,outside) dynamic P.P.P.100
object network obj-192.168.9.0
nat (inside,outside) dynamic P.P.P.100
object network obj-10.11.0.0
nat (inside,outside) dynamic P.P.P.100

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Wed, 07/21/2010 - 06:49
User Badges:
  • Cisco Employee,

Hello,


From your configuration, I can see that there are few statics stating that 192.168.0.0 is on the outside interface


nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.0.0.0 obj-10.0.0.0
nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0
nat (outside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-192.168.0.0 obj-192.168.0.0


I am not certain about the mask you are using. But if your mask is /16, then that explains the conflict.If you are using /16 mask, please rewrite these statics with specific network segments.


Hope this helps.


Regards,


NT

Actions

This Discussion