Outside NAT Query

Answered Question
Aug 3rd, 2010
Hi halijenn / experts ,

I have configured outside NAT on an ASA so that the traffic is sourced from public IP on the internet to be NATTED to a private IP on the inside.
Following is the error

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:10.40.1.7/4191 dst outside:219.85.5.94/80
denied due to NAT reverse path failure


Following is the config

access-list OUT_NAT extended permit ip any any

global (inside) 2 10.2.2.1 255.255.255.255
global (outside) 1 interface
nat (inside) 1 10.40.0.0 255.255.0.0
nat (outside) 2 access-list
OUT_NAT outside

Now my query is that what i believe that most probabaly it is not working due to "ip any any " mentioned in the access-list and it should resolve the issue
Please let me know if i am thinking correct ; however i am not sure as to why it will effect the outbound traffic , i believe it should not work for inbound
traffic .
I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 6 years 4 months ago

Ankur,

When you PAT a network on the inside to the outside interface address of the ASA, no host can reach the individual host on the inside because they are all hiding behind the PAT pool - correct?

So, when you hide the whole internet behind a PAT address (inside interface) the same rule applies. How can the inside hosts reach out to yahoo and google when they are all hiding behind a PAT pool?

Does this make sense?

-KS

Correct Answer by Nagaraja Thanthry about 6 years 4 months ago

Hello,

With the way you have configured (permit ip any any) you will not be able to

browse internet from inside. However, outside clients can access your inside

server without any issue. To answer your second question, you need to use

the private IP in the access-list as the NAT rule is applied before traffic

exits your inside interface.

Hope this helps.

Regards,

NT

Correct Answer by Nagaraja Thanthry about 6 years 4 months ago

Hello Ankur,

When you are trying to access an internet IP from the inside, the traffic

hits the firewall with source IP being your internal IP and destination IP

being an internet IP. When the packet exits the firewall, its source IP will

be natted to the interface IP (outside interface IP). However, there is no

rule to convert the destination IP (there is no destination NAT configured),

so the destination IP will be unchanged.

When the return traffic hits the firewall, the source IP will be the

internet servers IP and destination IP will be that of the outside interface

of the firewall. Now, as per the configuration you have, the source IP will

be converted to inside interface IP and destination IP (outside interface

IP) will be converted to corresponding inside host IP (based on xlate

entry).

Now if you notice the two parts, when the traffic exits your firewall

towards the internet, the destination IP is unchanged however, when the

reply traffic enters the firewall and exits towards your LAN, the source IP

will be NAT'ed. This is asymmetric in nature. Hence the firewall will

complain about it and it will block the traffic.

Hope this helps.

Regards,

NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Nagaraja Thanthry Tue, 08/03/2010 - 05:55

Hello,

You are correct. By saying "ip any any" you have instructed the firewall

that all external IP (internet IP) should be NAT'ed to the inside interface

IP. Now, you are trying to open a connection to a public IP which does not

exist for the inside subnet. You need to modify the access-list line so that

only specific hosts get NAT'ed.

Hope this helps.

Regards,

NT

ankurs2008 Tue, 08/03/2010 - 20:05

Hi NT

Please let me know the packet flow of the same . I am not able to understand as to whether this will work for the inbound traffic or not ? Also for the outbound traffic , will it face issues when the packet is coming back from the internet ?

Correct Answer
Nagaraja Thanthry Tue, 08/03/2010 - 20:18

Hello Ankur,

When you are trying to access an internet IP from the inside, the traffic

hits the firewall with source IP being your internal IP and destination IP

being an internet IP. When the packet exits the firewall, its source IP will

be natted to the interface IP (outside interface IP). However, there is no

rule to convert the destination IP (there is no destination NAT configured),

so the destination IP will be unchanged.

When the return traffic hits the firewall, the source IP will be the

internet servers IP and destination IP will be that of the outside interface

of the firewall. Now, as per the configuration you have, the source IP will

be converted to inside interface IP and destination IP (outside interface

IP) will be converted to corresponding inside host IP (based on xlate

entry).

Now if you notice the two parts, when the traffic exits your firewall

towards the internet, the destination IP is unchanged however, when the

reply traffic enters the firewall and exits towards your LAN, the source IP

will be NAT'ed. This is asymmetric in nature. Hence the firewall will

complain about it and it will block the traffic.

Hope this helps.

Regards,

NT

ankurs2008 Wed, 08/04/2010 - 03:56

Hi NT

Perfect explanation !! I also wanted to know if the Inbound traffic will work with " permit ip any any " or not with the same configuration ? Also if i modify the access-list with " permit ip any < Public IP >" in the conditional NAT for the Inbound traffic , am i suppose to use the Public IP < NATTED IP of Inside server > or i can use the Private IP also ?

ankurs2008 Thu, 08/05/2010 - 00:55

Hi NT

It will be really helpful if you can throw some light on below query

Nagaraja Thanthry Thu, 08/05/2010 - 06:08

Hello Ankur,

Typically, when you NAT outside traffic entering your network, it is done to a specific destination (a server) or a specific IP address is natted to inside IP address (server is on the outside). You do not NAT all internet traffic to inside interface IP as that would lead to asymmetric NAT rules. Also, once you define the NAT rules, technically you are saying that your internal hosts should not be seeing any public IP addresses. If that is the case, then you will not be able to browse any public sites with their own IP address. Can you shed some light on the reasons behind configuring destination NAT?

Regards,

NT

ankurs2008 Fri, 08/06/2010 - 04:18

Hi NT

Thanks for the explaination ! I understood the same . I have a generic quesiton as mentioned below

My query is that when packet is going from Inside to Outside and while the packet is returning back (reply) , does it need to undergo the NAT Check again ? Over here , i mean to say that before a connection is built , is it like that packet will analyze the translations for return traffic , beforehand i.e which path it will take .

I have gone through below discussion where it is mentioned "ASA doesn't seem to have a notion of state associated with NATs where assumed SNAT on reverse for a static DNAT forward, overrides exempt on the return " .Is it true ?

https://supportforums.cisco.com/thread/1003401Denied due to NAT reverse path failure

Nagaraja Thanthry Fri, 08/06/2010 - 06:40

Hello Ankur,

In your case, when you configure

global (inside) 1 interface

nat (outside) 1 0.0.0.0 0.0.0.0

Essentially, what you are saying is that all internet traffic comes to

inside subnet via NAT (no public IP is visible). In such a scenario, the

only address that is visible to your inside subnet is your inside interface

IP. Hence when you try to access any other address, the firewall complains.

The error message may not indicate the correct scenario but essentially, the

firewall is complaining that the public IP you are using is not valid as

there is a conflicting reverse path NAT statement.

Hope this helps.

Regards,

NT

ankurs2008 Sun, 08/08/2010 - 04:32

Hi NT,

Thanks again for the explaination !! I understood the implications ; however coming back to inbound traffic for the same scenario , i have 2 queries

1) I agree that we should not use "permit ip any any " for the Inbound traffic (applied to Conditional NAT) , however will the inbound traffic work at all with this ACL ?

2) Also if i modify the access-list with " permit ip any < Public IP >" in the conditional NAT for the Inbound traffic , am i suppose to use the

Public IP < NATTED IP of Inside server > or i can use the Private IP also (as there will be static NAT already for the destination translation )

Correct Answer
Nagaraja Thanthry Sun, 08/08/2010 - 11:20

Hello,

With the way you have configured (permit ip any any) you will not be able to

browse internet from inside. However, outside clients can access your inside

server without any issue. To answer your second question, you need to use

the private IP in the access-list as the NAT rule is applied before traffic

exits your inside interface.

Hope this helps.

Regards,

NT

Correct Answer
Kureli Sankar Sun, 08/08/2010 - 17:37

Ankur,

When you PAT a network on the inside to the outside interface address of the ASA, no host can reach the individual host on the inside because they are all hiding behind the PAT pool - correct?

So, when you hide the whole internet behind a PAT address (inside interface) the same rule applies. How can the inside hosts reach out to yahoo and google when they are all hiding behind a PAT pool?

Does this make sense?

-KS

Actions

This Discussion