Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3015
Views
0
Helpful
8
Replies

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.159.159.3/49204 dst tru777:10.1.34.19/3389 denied due to NAT reverse path failure

chris
Level 1
Level 1

‎02-10-2012 11:34 AM - edited ‎03-11-2019 03:28 PM

Hi,

I have an ASA5510 running version 8.2(5). I have set up a new network on interface Ethernet0/1.777 of the fwl. The firewall works perfectly with remote access VPNs but has now given me the error with the new network that has been set up:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.159.159.3/49204 dst tru777:10.1.34.19/3389 denied due to NAT reverse path failure

The difference between the other networks and the new one that I have set up is that this is the first one using a private addressing scheme. I understand that NAT is not allowing something along the way but I cant figure out what needs to change in order to get it to work. My config is as follows:

interface Ethernet0/1.777

description TRU 777

vlan 777

nameif tru777

security-level 50

ip address 10.1.34.17 255.255.255.240 standby 10.1.34.18

access-list acl_tru777 remark * ALLOW ALL OUTBOUND *

access-list acl_tru777 extended permit ip any any

access-list RA-VPN extended permit ip 10.1.34.16 255.255.255.240 10.159.159.0 255.255.255.0

access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 172.16.0.0 255.240.0.0

access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list acl_ra-lock-tru777 extended permit ip 10.1.34.16 255.255.255.240 10.159.159.0 255.255.255.0

access-list acl_ra-lock-tru777 extended permit ip 10.159.159.0 255.255.255.0 10.1.34.16 255.255.255.240

ip local pool ra-pool 10.159.159.0-10.159.159.254 mask 255.255.255.0

nat (tru777) 4 access-list acl_no-nat

nat (tru777) 2 10.1.34.16 255.255.255.240

global (outside) 2 x.x.x.x

crypto isakmp nat-traversal 20

I think that is everything you should need, if not please just ask.

Thank you very much in advance,

Chris

Labels:
0 Helpful
8 Replies 8

Julio Carvajal
VIP Alumni
VIP Alumni

‎02-10-2012 12:34 PM

Hello Chris,

Please provide :

sh nameif

sh run nat

sh run global

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

chris
Level 1
Level 1
In response to Julio Carvajal

‎02-11-2012 05:41 AM

Hi Julio,

Here you go:

FWL01# sh nameif

Interface                Name                     Security

Ethernet0/0              outside                    0

Ethernet0/1              CLIENTS                 50

Ethernet0/1.314        tru01                      50

Ethernet0/1.313        dmz01                    50

Ethernet0/1.316        tru02                      50

Ethernet0/1.776        dmz776                  50

Ethernet0/1.777        tru777                     50

Management0/0       management           100

FWL01#  sh run nat

nat (tru02) 1 192.168.3.0 255.255.255.240

nat (tru777) 4 access-list acl_no-nat

nat (tru777) 2 10.1.34.16 255.255.255.240

FWL01#    sh run glob

global (outside) 1 interface

global (outside) 2 x.x.x.x

Thanks,

Chris

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to chris

‎02-11-2012 08:43 AM

Hello Chris,

Next thing would be

show run static

packet-tracer input outside tcp 10.159.159.3 1025 10.1.34.19 3389


Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

chris
Level 1
Level 1
In response to Julio Carvajal

‎02-11-2012 09:52 AM

FWL01# sh run static

static (tru02,outside) x.x.x.216 x.x.x.216 netmask 255.255.255.248

static (dmz776,outside) x.x.x.49 10.1.34.3 netmask 255.255.255.255

static (tru777,outside) x.x.x.49 x.x.x.49 netmask 255.255.255.255

FWL01# packet-tracer input outside tcp 10.159.159.3 1025 10.1.34.19 3389

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.1.34.16      255.255.255.240 tru777

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: tru777

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks,

Chris

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to chris

‎02-12-2012 05:54 PM

Hello Chris,

Can you show us the entire configuration, I will need to take a look at the ACL configuration as the information provided is not enough to get into the root issue.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

chris
Level 1
Level 1
In response to Julio Carvajal

‎02-22-2012 04:38 AM

Hi,

Thanks for trying to help. I managed to get it working by just getting more specific with the the no nat ACL and added a new ACL for just that entry:

access-list acl_no-nat-777 extended permit ip 10.1.34.0 255.255.255.248 10.159.159.0 255.255.255.0

And I am not sure if it made any difference but changed the foir in the NAT statement below to 0:

nat (tru777) 0 access-list acl_no-nat-777

I kept everything else the same and it is working exactly as I had hoped.

Thanks again!

0 Helpful

Krishna Rao Anumothu
Cisco Employee
Cisco Employee
In response to Julio Carvajal

‎12-11-2013 03:07 PM

test
0 Helpful

Baratwajan Shrinevas
Level 4
Level 4
In response to Julio Carvajal

‎12-11-2013 03:08 PM

Testing reply feature

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card