Hi halijenn / experts ,
I have configured outside NAT on an ASA so that the traffic is sourced from public IP on the internet to be NATTED to a private IP on the inside.
Following is the error
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:10.40.1.7/4191 dst outside:18.104.22.168/80
denied due to NAT reverse path failure
Following is the config
access-list OUT_NAT extended permit ip any any
global (inside) 2 10.2.2.1 255.255.255.255
global (outside) 1 interface
nat (inside) 1 10.40.0.0 255.255.0.0
nat (outside) 2 access-list OUT_NAT outside
Now my query is that what i believe that most probabaly it is not working due to "ip any any " mentioned in the access-list and it should resolve the issue
Please let me know if i am thinking correct ; however i am not sure as to why it will effect the outbound traffic , i believe it should not work for inbound
When you PAT a network on the inside to the outside interface address of the ASA, no host can reach the individual host on the inside because they are all hiding behind the PAT pool - correct?
So, when you hide the whole internet behind a PAT address (inside interface) the same rule applies. How can the inside hosts reach out to yahoo and google when they are all hiding behind a PAT pool?
Does this make sense?
With the way you have configured (permit ip any any) you will not be able to
browse internet from inside. However, outside clients can access your inside
server without any issue. To answer your second question, you need to use
the private IP in the access-list as the NAT rule is applied before traffic
exits your inside interface.
Hope this helps.
When you are trying to access an internet IP from the inside, the traffic
hits the firewall with source IP being your internal IP and destination IP
being an internet IP. When the packet exits the firewall, its source IP will
be natted to the interface IP (outside interface IP). However, there is no
rule to convert the destination IP (there is no destination NAT configured),
so the destination IP will be unchanged.
When the return traffic hits the firewall, the source IP will be the
internet servers IP and destination IP will be that of the outside interface
of the firewall. Now, as per the configuration you have, the source IP will
be converted to inside interface IP and destination IP (outside interface
IP) will be converted to corresponding inside host IP (based on xlate
Now if you notice the two parts, when the traffic exits your firewall
towards the internet, the destination IP is unchanged however, when the
reply traffic enters the firewall and exits towards your LAN, the source IP
will be NAT'ed. This is asymmetric in nature. Hence the firewall will
complain about it and it will block the traffic.
Hope this helps.