Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5512 via ASDM (Flow is Denied by Configured Rule)

Hello all,

New to the forums and the relatively new to Cisco ASA 5512.  Particularly utiilizing the ASDM gui config.

I'm trying to setup the ASA to allow LDAP sync for a new SPAM/AV Email security service and running into an issue that I'm sure is a simple oversight. In production, using an our old firewall (sonicwall) all works well, but I'm testing through the ASA5512 in hopes to move this over soon.

Here's the message I receive when using packet tracer:

FlowDenied.png

For clarity, here are the NAT Rules currently created:

NatRules.png

And here's the message I receive in the Syslog when initiating a test connection for the LDAP sync:

syslog.png

Many thanks in advance...

-BH

1 REPLY
Hall of Fame Super Silver

ASA 5512 via ASDM (Flow is Denied by Configured Rule)

The detail on the NAT failure says it's caused by rpf check. That's Reverse Path Forwarding and usually indicates an asymmetric NAT - i.e. the flow in one direction performs NAT and your rules don't NAT the return traffic.

It's a bit hard to see from the limited screenshot your provided but it is often due to a higher level NAT rule seeing the return traffic first and treating it differently than the rule that handled the outbound traffic. It's also very common on VPN connections where one has neglected to exempt the tunneled traffic from NATting

494
Views
0
Helpful
1
Replies
CreatePlease login to create content