Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
742
Views
0
Helpful
1
Replies

ASA 5512 via ASDM (Flow is Denied by Configured Rule)

bhodgson
Level 1
Level 1

‎12-26-2013 02:31 PM - edited ‎03-11-2019 08:22 PM

Hello all,

New to the forums and the relatively new to Cisco ASA 5512.  Particularly utiilizing the ASDM gui config.

I'm trying to setup the ASA to allow LDAP sync for a new SPAM/AV Email security service and running into an issue that I'm sure is a simple oversight. In production, using an our old firewall (sonicwall) all works well, but I'm testing through the ASA5512 in hopes to move this over soon.

Here's the message I receive when using packet tracer:

FlowDenied.png

For clarity, here are the NAT Rules currently created:

NatRules.png

And here's the message I receive in the Syslog when initiating a test connection for the LDAP sync:

syslog.png

Many thanks in advance...

-BH

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-27-2013 11:11 AM

The detail on the NAT failure says it's caused by rpf check. That's Reverse Path Forwarding and usually indicates an asymmetric NAT - i.e. the flow in one direction performs NAT and your rules don't NAT the return traffic.

It's a bit hard to see from the limited screenshot your provided but it is often due to a higher level NAT rule seeing the return traffic first and treating it differently than the rule that handled the outbound traffic. It's also very common on VPN connections where one has neglected to exempt the tunneled traffic from NATting

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card