Asymmetric NAT rules matched for forward and reverse flows

Answered Question
Oct 22nd, 2010

We are trying to send netflow from our internet router (64.xx.xx.1) to an inside netflow collector (10.10.xx.81).

The following are flow export config and static ip route on internet router.

ip flow-export source GigabitEthernet0/1
ip flow-export version 9 peer-as
ip flow-export destination 10.10.xx.81 2055

ip route 10.10.xx.81 255.255.255.255 64.xx.xx.2 (64.xx.xx.2 is outside interface of ASA5520)

The following is ACL on ASA5520 which I see hits on.

access-list OUTSIDE extended permit udp host 64.xx.xx.1 host 10.10.xx.81 eq 2055

I now see the following log messages on ASA5520

5    Oct 22 2010    08:44:50        10.10.xx.81    2055            Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:64.xx.xx.1/50847 dst inside:10.10.xx.81/2055 denied due to NAT reverse path failure

I have this problem too.
0 votes
Correct Answer by apothula about 3 years 6 months ago

Yes, you should use IP instead of UDP in the ACL you pasted.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
dancicioiu Fri, 10/22/2010 - 06:16

Hi ,

try disabling the nat on ASA for the flows between the router and the host :

nat (inside) 0 access-list NONAT
access-list NONAT permit ip host 10.10.2.81 host 64.xx.xx.1

Dan

fasteddye Fri, 10/22/2010 - 06:35

What would adding the following do?

access-list inside_nat0_outbound extended permit ip any 10.10.2.81 255.255.255.255

I added that and the log messages stopped happening and then I removed it and now I don’t see hits on the ACL anymore.

fasteddye Fri, 10/22/2010 - 06:57

For whatever reason after adding and then removing the following, I no longer see hits on ACL and nothing in log messages for 10.xx.xx.81 (collector IP).

access-list inside_nat0_outbound extended permit ip any 10.10.2.81 255.255.255.255

I changed interface names on the show nat below, hope that doesn’t confuse.

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

nat (ABC123) 168 192.168.0.0 255.255.0.0 outside

nat (DEF456) 0 access-list DEF456_nat0_dmzbound

nat (DEF456) 231 10.231.0.0 255.255.0.0

nat (DMZ) 0 access-list DMZ_nat0_outbound

nat (GHI789) 0 access-list GHI789_nat0_outbound

nat (JKL012) 0 access-list JKL012_nat0_outbound

dancicioiu Fri, 10/22/2010 - 07:09

You should configure

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0mm 5.4pt 0mm 5.4pt; mso-para-margin:0mm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

access-list inside_nat0_outbound extended permit udp host 10.10.2.81 host 64.x.x.1

Then check if the flows are received on the collector.

Dan

fasteddye Fri, 10/22/2010 - 07:33

I added the suggested nat exempt and the collector is receiving flow.

I however do not see hits on the ACL on ASA5520. Is that normal?

pkampana Fri, 10/22/2010 - 07:49

Yeah, if you have a UDP flow up and passing traffic you will not see ACL incrementing, you would need to stop the flow and then you would see 1 increment while the flow was up. So, only the first udp netflow packet hits the ACL and then it goes through using the existing flow (no ACL hit).

I hope it makes sense.

PK

fasteddye Fri, 10/22/2010 - 08:00

After adding that NAT exempt my view NAT view in ASDM looks different.

I used to see NAT exempts lumped together but things look different.

fasteddye Fri, 10/22/2010 - 09:51

After adding the following command all the NAT exempt on inside interface were gone/not working. They would show up in cli but not in asdm. I had not saved changes so rebooting firewall brought things back to normal. Now I am a little nervous about adding the command again.

Could having it be protocol udp vs ip make a difference? All the other NAT exempt on inside interface are protocol ip.

access-list inside_nat0_outbound extended permit udp host 10.10.2.81 host 64.xx.xx.1

Should I try adding again or add it with protocol ip?

Thanks.

fasteddye Fri, 10/22/2010 - 18:17

I am looking to see if I am comprehending correctly.  I have read that only the ip protocol is allowed in a NAT excempt access-list.  NAT excemption is evaluated on source and destination and not on IP protocols or port numbers.

Does that mean this config should use ip instead of udp?

access-list inside_nat0_outbound extended permit udphost 10.10.2.81 host 64.xx.xx.1

Thanks for clarification.

Correct Answer
apothula Sat, 10/23/2010 - 04:18

Yes, you should use IP instead of UDP in the ACL you pasted.

apothula Sat, 10/23/2010 - 04:20

1 more thing, you won't see hit counts on this ACL.

For ex,

nat (inside) 0 access-list nat-exempt

access-list nat-exempt permit ip host x.x.x.x host y.y.y.y (hit count=0)

Actions

Login or Register to take actions

This Discussion

Posted October 22, 2010 at 6:13 AM
Stats:
Replies:12 Avg. Rating:5
Views:2289 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446