Asymmetric NAT rules matched for forward and reverse flows

Answered Question
Oct 22nd, 2010
User Badges:

We are trying to send netflow from our internet router (64.xx.xx.1) to an inside netflow collector (10.10.xx.81).

The following are flow export config and static ip route on internet router.

ip flow-export source GigabitEthernet0/1
ip flow-export version 9 peer-as
ip flow-export destination 10.10.xx.81 2055

ip route 10.10.xx.81 64.xx.xx.2 (64.xx.xx.2 is outside interface of ASA5520)

The following is ACL on ASA5520 which I see hits on.

access-list OUTSIDE extended permit udp host 64.xx.xx.1 host 10.10.xx.81 eq 2055

I now see the following log messages on ASA5520

5    Oct 22 2010    08:44:50        10.10.xx.81    2055            Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:64.xx.xx.1/50847 dst inside:10.10.xx.81/2055 denied due to NAT reverse path failure

Correct Answer by apothula about 6 years 9 months ago

Yes, you should use IP instead of UDP in the ACL you pasted.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Dan-Ciprian Cicioiu Fri, 10/22/2010 - 06:16
User Badges:
  • Gold, 750 points or more

Hi ,

try disabling the nat on ASA for the flows between the router and the host :

nat (inside) 0 access-list NONAT
access-list NONAT permit ip host host 64.xx.xx.1


fasteddye Fri, 10/22/2010 - 06:35
User Badges:

What would adding the following do?

access-list inside_nat0_outbound extended permit ip any

I added that and the log messages stopped happening and then I removed it and now I don’t see hits on the ACL anymore.

fasteddye Fri, 10/22/2010 - 06:57
User Badges:

For whatever reason after adding and then removing the following, I no longer see hits on ACL and nothing in log messages for 10.xx.xx.81 (collector IP).

access-list inside_nat0_outbound extended permit ip any

I changed interface names on the show nat below, hope that doesn’t confuse.

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10

nat (ABC123) 168 outside

nat (DEF456) 0 access-list DEF456_nat0_dmzbound

nat (DEF456) 231

nat (DMZ) 0 access-list DMZ_nat0_outbound

nat (GHI789) 0 access-list GHI789_nat0_outbound

nat (JKL012) 0 access-list JKL012_nat0_outbound

Dan-Ciprian Cicioiu Fri, 10/22/2010 - 07:09
User Badges:
  • Gold, 750 points or more

You should configure

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0mm 5.4pt 0mm 5.4pt; mso-para-margin:0mm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

access-list inside_nat0_outbound extended permit udp host host 64.x.x.1

Then check if the flows are received on the collector.


fasteddye Fri, 10/22/2010 - 07:33
User Badges:

I added the suggested nat exempt and the collector is receiving flow.

I however do not see hits on the ACL on ASA5520. Is that normal?

Panos Kampanakis Fri, 10/22/2010 - 07:49
User Badges:
  • Cisco Employee,

Yeah, if you have a UDP flow up and passing traffic you will not see ACL incrementing, you would need to stop the flow and then you would see 1 increment while the flow was up. So, only the first udp netflow packet hits the ACL and then it goes through using the existing flow (no ACL hit).

I hope it makes sense.


fasteddye Fri, 10/22/2010 - 08:00
User Badges:

After adding that NAT exempt my view NAT view in ASDM looks different.

I used to see NAT exempts lumped together but things look different.

fasteddye Fri, 10/22/2010 - 09:51
User Badges:

After adding the following command all the NAT exempt on inside interface were gone/not working. They would show up in cli but not in asdm. I had not saved changes so rebooting firewall brought things back to normal. Now I am a little nervous about adding the command again.

Could having it be protocol udp vs ip make a difference? All the other NAT exempt on inside interface are protocol ip.

access-list inside_nat0_outbound extended permit udp host host 64.xx.xx.1

Should I try adding again or add it with protocol ip?


fasteddye Fri, 10/22/2010 - 18:17
User Badges:

I am looking to see if I am comprehending correctly.  I have read that only the ip protocol is allowed in a NAT excempt access-list.  NAT excemption is evaluated on source and destination and not on IP protocols or port numbers.

Does that mean this config should use ip instead of udp?

access-list inside_nat0_outbound extended permit udphost host 64.xx.xx.1

Thanks for clarification.

Correct Answer
apothula Sat, 10/23/2010 - 04:18
User Badges:
  • Bronze, 100 points or more

Yes, you should use IP instead of UDP in the ACL you pasted.

apothula Sat, 10/23/2010 - 04:20
User Badges:
  • Bronze, 100 points or more

1 more thing, you won't see hit counts on this ACL.

For ex,

nat (inside) 0 access-list nat-exempt

access-list nat-exempt permit ip host x.x.x.x host y.y.y.y (hit count=0)


This Discussion