%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src ou...

chris · ‎02-10-2012

Hi,

I have an ASA5510 running version 8.2(5). I have set up a new network on interface Ethernet0/1.777 of the fwl. The firewall works perfectly with remote access VPNs but has now given me the error with the new network that has been set up:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.159.159.3/49204 dst tru777:10.1.34.19/3389 denied due to NAT reverse path failure

The difference between the other networks and the new one that I have set up is that this is the first one using a private addressing scheme. I understand that NAT is not allowing something along the way but I cant figure out what needs to change in order to get it to work. My config is as follows:

interface Ethernet0/1.777

description TRU 777

vlan 777

nameif tru777

security-level 50

ip address 10.1.34.17 255.255.255.240 standby 10.1.34.18

access-list acl_tru777 remark * ALLOW ALL OUTBOUND *

access-list acl_tru777 extended permit ip any any

access-list RA-VPN extended permit ip 10.1.34.16 255.255.255.240 10.159.159.0 255.255.255.0

access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 172.16.0.0 255.240.0.0

access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list acl_ra-lock-tru777 extended permit ip 10.1.34.16 255.255.255.240 10.159.159.0 255.255.255.0

access-list acl_ra-lock-tru777 extended permit ip 10.159.159.0 255.255.255.0 10.1.34.16 255.255.255.240

ip local pool ra-pool 10.159.159.0-10.159.159.254 mask 255.255.255.0

nat (tru777) 4 access-list acl_no-nat

nat (tru777) 2 10.1.34.16 255.255.255.240

global (outside) 2 x.x.x.x

crypto isakmp nat-traversal 20

I think that is everything you should need, if not please just ask.

Thank you very much in advance,

Chris

Julio Carvajal · ‎02-10-2012

Hello Chris,

Please provide :

sh nameif

sh run nat

sh run global

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

chris · ‎02-11-2012

Hi Julio,

Here you go:

FWL01# sh nameif

Interface Name Security

Ethernet0/0 outside 0

Ethernet0/1 CLIENTS 50

Ethernet0/1.314 tru01 50

Ethernet0/1.313 dmz01 50

Ethernet0/1.316 tru02 50

Ethernet0/1.776 dmz776 50

Ethernet0/1.777 tru777 50

Management0/0 management 100

FWL01# sh run nat

nat (tru02) 1 192.168.3.0 255.255.255.240

nat (tru777) 4 access-list acl_no-nat

nat (tru777) 2 10.1.34.16 255.255.255.240

FWL01# sh run glob

global (outside) 1 interface

global (outside) 2 x.x.x.x

Thanks,

Chris

Julio Carvajal · ‎02-11-2012

Hello Chris,

Next thing would be

show run static

packet-tracer input outside tcp 10.159.159.3 1025 10.1.34.19 3389

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

chris · ‎02-11-2012

FWL01# sh run static

static (tru02,outside) x.x.x.216 x.x.x.216 netmask 255.255.255.248

static (dmz776,outside) x.x.x.49 10.1.34.3 netmask 255.255.255.255

static (tru777,outside) x.x.x.49 x.x.x.49 netmask 255.255.255.255

FWL01# packet-tracer input outside tcp 10.159.159.3 1025 10.1.34.19 3389

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.1.34.16 255.255.255.240 tru777

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: tru777

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks,

Chris

Julio Carvajal · ‎02-12-2012

Hello Chris,

Can you show us the entire configuration, I will need to take a look at the ACL configuration as the information provided is not enough to get into the root issue.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

chris · ‎02-22-2012

Hi,

Thanks for trying to help. I managed to get it working by just getting more specific with the the no nat ACL and added a new ACL for just that entry:

access-list acl_no-nat-777 extended permit ip 10.1.34.0 255.255.255.248 10.159.159.0 255.255.255.0

And I am not sure if it made any difference but changed the foir in the NAT statement below to 0:

nat (tru777) 0 access-list acl_no-nat-777

I kept everything else the same and it is working exactly as I had hoped.

Thanks again!

Krishna Rao Anumothu · ‎12-11-2013

test

Baratwajan Shrinevas · ‎12-11-2013

Testing reply feature