Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

[ASA8858 with 8.4(2)] asym. NAT rule; conflict with dyn. PAT; problems with flows from low. SecLvl to higher SecLvl

Hello All,

I have a  source dynamic NAT rule in place to translate all traffic from INSIDE (sec-lvl 100) to PRIVATE DMZ (sec-lvl 80) with translation to a specific new source IP (not the IF IP):

nat (fw-inside,fw-prv) source dynamic GRP_NAT_INSIDELAN NAT-LAN-NEW-IP1 destination static NET_PRV_DMZ NET_PRV_DMZ description [#R-TRx]

object network NAT-LAN-NEW-IP1

host XX.XX.XX.XX

But all connnection attempts from PRIVATE DMZ to INSIDE are now BLOCKED with message:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src fw-prv:192.168.95.100/4459 dst fw-inside:172.28.100.55/1433 denied due to NAT reverse path failure

My requirement is:

Dyn. PAT/NAT from INSIDE to PRV_DMZ, but NO NAT for sessions from PRV_DMZ to INSIDE.  It is easy and straightforward to configure this on a Checkpoint FW-1 system, because the CP FW-1 is not checking the reverse path for NAT. How to achieve the same on a Cisco ASA5585-SSP10 with Ver. 8.4(2)8 installed.

Kind Regards,

HMiku

1 REPLY
Cisco Employee

[ASA8858 with 8.4(2)] asym. NAT rule; conflict with dyn. PAT; pr

Seems like there is another NAT in between that is causing this error message. It would be nice if we could have the configuration but Im going to tell you what we look normally on this cases.

Existing NAT rules that could be created on the DMZ interface. Existing NAT rules that can be on the Inside. I am almost sure that there is another NAT that could be breaking things, meaning the packet does not get translated on the DMZ, but when it answers back to the inside, it hits a nat rule.

Check for rules that may have any any. You can easily check this by doing a packet tracer and see which NAT rules would it hit.

packet-tracer input inside tcp 1025 80

Where x is the IP address of the inside host and y is the address of the DMZ host.

Let me know how the test go.

Mike

Mike
444
Views
0
Helpful
1
Replies