Hi all. This is complicated, I'll try to explain succinctly.
I have an ASA that is one end of an IPSEC tunnel. The IPSEC tunnel dumps traffic off onto the ASA, but instead of forwarding to the next hop, we see a log entry like the following:
Mar 7 19:54:12 18.104.22.168 Mar 8 00:54:12 %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:172.28.253.1/8080 dst inside:10.20.161.33/8080 denied due to NAT reverse path failure
When I run a packet trace, the trace stops on an RPF check:
nat (inside) 0 0.0.0.0 0.0.0.0
match ip inside any outside any
no translation group, implicit deny
policy_hits = 3242
Forward Flow based lookup yields rule:
out id=0x24305f50, priority=0, domain=nat-reverse, deny=false
Normally I would look at where the trace stopped and figure out the problem from there, in this case, the 'nat (inside) 0 0.0.0.0 0.0.0.0' statement; only problem is that statement doesn't show up in the config. Here are my actual NAT statements:
The access list 'nonat-outside-to-inside' has one relevant line concerning this specific traffic:
access-list nonat-outside-to-inside line 11 extended permit ip 172.28.253.0 255.255.255.0 10.20.0.0 255.255.0.0 (hitcnt=0) 0xcba8a793
And access-list nonat-inside-to-outside has nothing that matches both the source and destination.
So, I don't actually have a statement that matches the error shown in the packet trace. I'm kind of stuck. From my reading of the rpf literature, I guess its an anti-spoofing feature, which leads me to believe that the firewall is sending the traffic back into itself instead of forwarding it on to the next hop, and the RPF check says, nope, you already tried to send that thru me, so I'm going to kill it. Which it should -- but why isn't it forwarding it out to the legitimate next hop? Its like the traffic is getting lost in the middle of the firewall, and I'm thinking -- BUG!
I'm kind of at a loss and considering opening a TAC case.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...