04-12-2012 08:05 PM - edited 03-11-2019 03:53 PM
G'day All,
I am have just completed my first ASA install using 8.4 software, I was ok with 8.2 and prior for NAT, but I am running into an issue with the 8.4 setup.
I have a 5585 that is running multiple contexts, one of the contexts connects to a cisco wlc on it's inside interface. Wireless users are able to associate to the wlan fine, but their dhcp server is upstream on the outside of the asa. My issue is when clients attempt to grab a dhcp address, the dhcp offer is being dropped by the firewall due to:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.200.84/67 dst inside:192.168.79.14/67 denied due to NAT reverse path failure
The dhcp server is upstream and is 192.168.200.84 and 192.168.79.14 is the wlan interface on the wlc. Can someone please have a look over my config and advise where I am going wrong.
Below is the complete config for the context, keep in mind that this is only in test at the moment and is presently completely private, there is no public access presently.
asa/test# sh run
: Saved
:
ASA Version 8.4(1) <context>
!
hostname test
enable password *********** encrypted
passwd ********** encrypted
names
!
interface outside_test
nameif outside
security-level 0
ip address 192.168.207.91 255.255.255.248
!
interface inside_test
nameif inside
security-level 100
ip address 192.168.79.125 255.255.255.128
!
interface radtest
nameif radtest
security-level 50
ip address 10.1.0.251 255.255.255.248
!
object network test-inside
subnet 192.168.79.0 255.255.255.128
object-group network radtest
network-object 10.1.0.181 255.255.255.255
network-object 10.1.0.213 255.255.255.255
object-group network out-rad
network-object 192.168.15.68 255.255.255.255
network-object 192.168.15.69 255.255.255.255
object-group service radius_ports udp
port-object range radius radius-acct
port-object range 1812 1813
access-list outside-in extended permit ip any any
access-list radtes-tin extended permit ip any any
access-list inside-in extended permit ip any any
pager lines 24
logging enable
logging buffered debuggin
mtu outside 1500
mtu inside 1500
mtu apnet 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network test-inside
nat (inside,outside) dynamic interface
object network radtest
nat(radtest,outside) dynamic interface
access-group outside-in in interface outside
access-group inside-in in interface inside
access-group radtest-in in interface radtest
route outside 0.0.0.0 0.0.0.0 192.168.207.89 1
route apnet 10.1.0.181 255.255.255.255 10.1.0.249 1
route apnet 10.1.0.213 255.255.255.255 10.1.0.249 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h22
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:98edfeccab777266691c489212987947
: end
Thanks for any assistance.
JS
Solved! Go to Solution.
04-18-2012 12:04 AM
I addition to this, I think the problem that you are having is that your DHCP server is directing traffic for your WLC (
192.168.79.14) to your ASA, well at least that is what your output shows:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.200.84/67 dst inside:192.168.79.14/67 denied due to NAT reverse path failure
So although you are directing traffic to 192.168.79.14 that IP address will never be presented out the outside interface, because it is hidden behind dynamic NAT:
nat (inside,outside) dynamic interface.
so how is your DHCP server sending offers to the real IP address of the WLC, rather then the NAT-ed IP address (
192.168.207.91)?
04-17-2012 04:21 PM
Surely someone out there can assist me with this. I see plenty of other asymmetric NAT posts receiving plenty of replies.
Come on gurus, show us your stuff.
JS
04-17-2012 11:13 PM
James,
this article describes what you are seeing
https://supportforums.cisco.com/docs/DOC-12569
04-18-2012 12:04 AM
I addition to this, I think the problem that you are having is that your DHCP server is directing traffic for your WLC (
192.168.79.14) to your ASA, well at least that is what your output shows:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.200.84/67 dst inside:192.168.79.14/67 denied due to NAT reverse path failure
So although you are directing traffic to 192.168.79.14 that IP address will never be presented out the outside interface, because it is hidden behind dynamic NAT:
nat (inside,outside) dynamic interface.
so how is your DHCP server sending offers to the real IP address of the WLC, rather then the NAT-ed IP address (
192.168.207.91)?
05-15-2012 11:23 PM
G'day All,
Turns out I had a number of configuration issues, I got these resolved with the help of the members that replied. Much appreciated for the assistance and my new found working understanding on NAT in 8.4.
Cheers,
JS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: