Solved: Assymetrical NAT issue

anunes1987 · ‎08-31-2010

I'm having a problem and i'm not sure how to fix it.

I have one server which works for antivirus , updates in all machines , but there's two equipments which this server is unable to access but only these two.

These servers are DNS and WEB server from the other site, but they don't receive automatic updates. when i access my antivirus server an try to ping those two i got :

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src dmz2:Servereb dst inside:10.1.1.55 (type 8, code 0) denied due to NAT reverse path failure

Those servers have a static NAT to outside with a public address.

Server --- Firewall ---- Router ----- Firewall -- WEBserver

DNS SERVER

I don't know what do to solve this problem... please help...

If need any other information let me know thanks!

Nagaraja Thanthry · ‎08-31-2010

Hello,

It seems like when the traffic from inside comes to DMZ2, it will take DMZ2

interface IP. But when you are trying to access the inside server from DMZ2,

you are trying its original IP address. Please try the following:

access-list inside_nat0_outbound permit ip "inside subnet" "mask" host "DMZ2

Server IP"

This will ensure that the inside devices use their own IP when communicating

with the DMZ2 server. That should address the error message you are getting.

Hope this helps.

Regards,

NT

View solution in original post

Nagaraja Thanthry · ‎08-31-2010

Hello,

Can you post the output of "show run nat" and "show run static" commands

here. Please x-out any public IP addresses.

Thanks,

NT

anunes1987 · ‎08-31-2010

Two servers involved is WEB (WEB DMZ internal Ip WEB pub public add) the other are ok !

Thanks in advance for your help

SPOFWL01# sh run nat
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Ws 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz2) 1 DMZ_MSP 255.255.255.255
SPOFWL01# sh run stat
static (dmz2,outside) tcp PUB_WEB www DMZ_WEB 82 netmask 255.255.255.255
static (dmz2,outside) tcp PUB_WEB www DMZ_WEB 81 netmask 255.255.255.255
static (dmz2,outside) tcp PUB_WEB https DMZ_WEB https netmask 255.255.255.255
static (dmz2,outside) tcp PUB_WEB www DMZ_WEB www netmask 255.255.255.255
static (dmz2,inside) 172.16.50.23 172.16.50.23 netmask 255.255.255.255
static (inside,dmz2) EXC Srvr_EXC netmask 255.255.255.255
static (inside,dmz2) Srvr_SIS SIS netmask 255.255.255.255
static (inside,dmz2) Srvr_EXC EXC netmask 255.255.255.255
static (dmz2,inside) PMSP DMZ_PMSP netmask 255.255.255.255
static (inside,outside) 189.39.32.35 172.16.1.250 netmask 255.255.255.255
static (inside,outside) 189.39.32.39 172.16.1.225 netmask 255.255.255.255
static (dmz2,outside) PUB_SPMSP DMZ_PMSP netmask 255.255.255.255 dns
static (dmz2,inside) DMZ_WEB DMZ_WEB netmask 255.255.255.255
static (dmz2,outside) PUB_DNS DMZ_DNS netmask 255.255.255.255
static
(inside,dmz2) 10.21.4.11 10.21.4.11 netmask 255.255.255.255
static (inside,dmz2) Srvr_AMG Srvr AMG netmask 255.255.255.255
static (inside,dmz2) 10.21.4.32 10.21.4.32 netmask 255.255.255.255
static (inside,dmz2) EXC exc netmask 255.255.255.255
static (inside,dmz2) 10.21.4.76 10.21.4.76 netmask 255.255.255.255
static (inside,dmz2) 10.21.1.21 10.21.1.21 netmask 255.255.255.255
static (inside,dmz2) 10.21.1.22 10.21.1.22 netmask 255.255.255.255
static (inside,dmz2) DMZ_PMRJ DMZ_PMRJ netmask 255.255.255.255
static (inside,dmz2) 10.21.4.91 10.21.4.91 netmask 255.255.255.255
static (inside,dmz2) Srvr_WEB Srvr_WEB netmask 255.255.255.255
static (inside,dmz2) 10.21.4.77 10.21.4.77 netmask 255.255.255.255

anunes1987 · ‎08-31-2010

On the error i got i've wrote the wrong ip..

Follows the example of the error

dmz2:DMZ_WEB dst inside:10.21.4.53 (type 8, code 0) denied due to NAT reverse path failure

Nagaraja Thanthry · ‎08-31-2010

Hello,

Can you also post the output of "show run global" and "show run access-list

inside_nat0_outbound" commands?

Regards,

NT

anunes1987 · ‎08-31-2010

sh run global
global (outside) 1 interface
global (dmz1) 1 interface
global (dmz2) 1 interface
sh run access-list inside_nat0__outbound
ERROR: access-list does not exist

=) Thanks

Nagaraja Thanthry · ‎08-31-2010

Hello,

It seems like when the traffic from inside comes to DMZ2, it will take DMZ2

interface IP. But when you are trying to access the inside server from DMZ2,

you are trying its original IP address. Please try the following:

access-list inside_nat0_outbound permit ip "inside subnet" "mask" host "DMZ2

Server IP"

This will ensure that the inside devices use their own IP when communicating

with the DMZ2 server. That should address the error message you are getting.

Hope this helps.

Regards,

NT

anunes1987 · ‎08-31-2010

Thanks i will test it !