08-31-2010 06:16 AM - edited 03-11-2019 11:32 AM
I'm having a problem and i'm not sure how to fix it.
I have one server which works for antivirus , updates in all machines , but there's two equipments which this server is unable to access but only these two.
These servers are DNS and WEB server from the other site, but they don't receive automatic updates. when i access my antivirus server an try to ping those two i got :
Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src dmz2:Servereb dst inside:10.1.1.55 (type 8, code 0) denied due to NAT reverse path failure
Those servers have a static NAT to outside with a public address.
Server --- Firewall ---- Router ----- Firewall -- WEBserver
DNS SERVER
I don't know what do to solve this problem... please help...
If need any other information let me know thanks!
Solved! Go to Solution.
08-31-2010 07:46 AM
Hello,
It seems like when the traffic from inside comes to DMZ2, it will take DMZ2
interface IP. But when you are trying to access the inside server from DMZ2,
you are trying its original IP address. Please try the following:
access-list inside_nat0_outbound permit ip "inside subnet" "mask" host "DMZ2
Server IP"
This will ensure that the inside devices use their own IP when communicating
with the DMZ2 server. That should address the error message you are getting.
Hope this helps.
Regards,
NT
08-31-2010 06:54 AM
Hello,
Can you post the output of "show run nat" and "show run static" commands
here. Please x-out any public IP addresses.
Thanks,
NT
08-31-2010 07:14 AM
Two servers involved is WEB (WEB DMZ internal Ip WEB pub public add) the other are ok !
Thanks in advance for your help
SPOFWL01# sh run nat
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Ws 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz2) 1 DMZ_MSP 255.255.255.255
SPOFWL01# sh run stat
static (dmz2,outside) tcp PUB_WEB www DMZ_WEB 82 netmask 255.255.255.255
static (dmz2,outside) tcp PUB_WEB www DMZ_WEB 81 netmask 255.255.255.255
static (dmz2,outside) tcp PUB_WEB https DMZ_WEB https netmask 255.255.255.255
static (dmz2,outside) tcp PUB_WEB www DMZ_WEB www netmask 255.255.255.255
static (dmz2,inside) 172.16.50.23 172.16.50.23 netmask 255.255.255.255
static (inside,dmz2) EXC Srvr_EXC netmask 255.255.255.255
static (inside,dmz2) Srvr_SIS SIS netmask 255.255.255.255
static (inside,dmz2) Srvr_EXC EXC netmask 255.255.255.255
static (dmz2,inside) PMSP DMZ_PMSP netmask 255.255.255.255
static (inside,outside) 189.39.32.35 172.16.1.250 netmask 255.255.255.255
static (inside,outside) 189.39.32.39 172.16.1.225 netmask 255.255.255.255
static (dmz2,outside) PUB_SPMSP DMZ_PMSP netmask 255.255.255.255 dns
static (dmz2,inside) DMZ_WEB DMZ_WEB netmask 255.255.255.255
static (dmz2,outside) PUB_DNS DMZ_DNS netmask 255.255.255.255
static
(inside,dmz2) 10.21.4.11 10.21.4.11 netmask 255.255.255.255
static (inside,dmz2) Srvr_AMG Srvr AMG netmask 255.255.255.255
static (inside,dmz2) 10.21.4.32 10.21.4.32 netmask 255.255.255.255
static (inside,dmz2) EXC exc netmask 255.255.255.255
static (inside,dmz2) 10.21.4.76 10.21.4.76 netmask 255.255.255.255
static (inside,dmz2) 10.21.1.21 10.21.1.21 netmask 255.255.255.255
static (inside,dmz2) 10.21.1.22 10.21.1.22 netmask 255.255.255.255
static (inside,dmz2) DMZ_PMRJ DMZ_PMRJ netmask 255.255.255.255
static (inside,dmz2) 10.21.4.91 10.21.4.91 netmask 255.255.255.255
static (inside,dmz2) Srvr_WEB Srvr_WEB netmask 255.255.255.255
static (inside,dmz2) 10.21.4.77 10.21.4.77 netmask 255.255.255.255
08-31-2010 07:16 AM
On the error i got i've wrote the wrong ip..
Follows the example of the error
dmz2:DMZ_WEB dst inside:10.21.4.53 (type 8, code 0) denied due to NAT reverse path failure
08-31-2010 07:21 AM
Hello,
Can you also post the output of "show run global" and "show run access-list
inside_nat0_outbound" commands?
Regards,
NT
08-31-2010 07:30 AM
sh run global
global (outside) 1 interface
global (dmz1) 1 interface
global (dmz2) 1 interface
sh run access-list inside_nat0__outbound
ERROR: access-list
=) Thanks
08-31-2010 07:46 AM
Hello,
It seems like when the traffic from inside comes to DMZ2, it will take DMZ2
interface IP. But when you are trying to access the inside server from DMZ2,
you are trying its original IP address. Please try the following:
access-list inside_nat0_outbound permit ip "inside subnet" "mask" host "DMZ2
Server IP"
This will ensure that the inside devices use their own IP when communicating
with the DMZ2 server. That should address the error message you are getting.
Hope this helps.
Regards,
NT
08-31-2010 07:58 AM
Thanks i will test it !
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: