Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Assymetrical NAT issue

I'm having a problem and i'm not sure how to fix it.

I have one server which works for antivirus , updates in all machines , but there's two equipments which this server is unable to access but only these two.

These servers are DNS and WEB server from the other site, but they don't receive automatic updates. when i access my antivirus server an try to ping those two i got :

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src dmz2:Servereb dst inside:10.1.1.55 (type 8, code 0) denied due to NAT reverse path failure

Those servers have a static NAT to outside with a public address.

Server --- Firewall ---- Router ----- Firewall --  WEBserver

                                                                          DNS SERVER

I don't know what do to solve this problem... please help...

If need any other information let me know thanks!

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Assymetrical NAT issue

Hello,

It seems like when the traffic from inside comes to DMZ2, it will take DMZ2

interface IP. But when you are trying to access the inside server from DMZ2,

you are trying its original IP address. Please try the following:

access-list inside_nat0_outbound permit ip "inside subnet" "mask" host "DMZ2

Server IP"

This will ensure that the inside devices use their own IP when communicating

with the DMZ2 server. That should address the error message you are getting.

Hope this helps.

Regards,

NT

7 REPLIES
Cisco Employee

Re: Assymetrical NAT issue

Hello,

Can you post the output of "show run nat" and "show run static" commands

here. Please x-out any public IP addresses.

Thanks,

NT

New Member

Re: Assymetrical NAT issue

Two servers involved is WEB (WEB DMZ internal Ip WEB pub public add) the other are ok !

Thanks in advance for your help

SPOFWL01# sh run nat
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Ws 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz2) 1 DMZ_MSP 255.255.255.255
SPOFWL01# sh run stat
static (dmz2,outside) tcp PUB_WEB www DMZ_WEB 82 netmask 255.255.255.255
static (dmz2,outside) tcp PUB_WEB www DMZ_WEB 81 netmask 255.255.255.255
static (dmz2,outside) tcp PUB_WEB https DMZ_WEB https netmask 255.255.255.255
static (dmz2,outside) tcp PUB_WEB www DMZ_WEB www netmask 255.255.255.255
static (dmz2,inside) 172.16.50.23 172.16.50.23 netmask 255.255.255.255
static (inside,dmz2) EXC Srvr_EXC netmask 255.255.255.255
static (inside,dmz2) Srvr_SIS SIS netmask 255.255.255.255
static (inside,dmz2) Srvr_EXC EXC netmask 255.255.255.255
static (dmz2,inside) PMSP DMZ_PMSP netmask 255.255.255.255
static (inside,outside) 189.39.32.35 172.16.1.250 netmask 255.255.255.255
static (inside,outside) 189.39.32.39 172.16.1.225 netmask 255.255.255.255
static (dmz2,outside) PUB_SPMSP DMZ_PMSP netmask 255.255.255.255 dns
static (dmz2,inside) DMZ_WEB DMZ_WEB netmask 255.255.255.255
static (dmz2,outside) PUB_DNS DMZ_DNS netmask 255.255.255.255
static
       (inside,dmz2) 10.21.4.11 10.21.4.11 netmask 255.255.255.255
static (inside,dmz2) Srvr_AMG Srvr AMG netmask 255.255.255.255
static (inside,dmz2) 10.21.4.32 10.21.4.32 netmask 255.255.255.255
static (inside,dmz2) EXC exc netmask 255.255.255.255
static (inside,dmz2) 10.21.4.76 10.21.4.76 netmask 255.255.255.255
static (inside,dmz2) 10.21.1.21 10.21.1.21 netmask 255.255.255.255
static (inside,dmz2) 10.21.1.22 10.21.1.22 netmask 255.255.255.255
static (inside,dmz2) DMZ_PMRJ DMZ_PMRJ netmask 255.255.255.255
static (inside,dmz2) 10.21.4.91 10.21.4.91 netmask 255.255.255.255
static (inside,dmz2) Srvr_WEB Srvr_WEB netmask 255.255.255.255
static (inside,dmz2) 10.21.4.77 10.21.4.77 netmask 255.255.255.255

New Member

Re: Assymetrical NAT issue

On the error i got i've wrote the wrong ip..

Follows the example of the error

dmz2:DMZ_WEB dst inside:10.21.4.53 (type 8, code 0) denied due to NAT reverse path failure

Cisco Employee

Re: Assymetrical NAT issue

Hello,

Can you also post the output of "show run global" and "show run access-list

inside_nat0_outbound" commands?

Regards,

NT

New Member

Re: Assymetrical NAT issue

sh run global
global (outside) 1 interface
global (dmz1) 1 interface
global (dmz2) 1 interface
sh run access-list inside_nat0__outbound
ERROR: access-list does not exist

=) Thanks

Cisco Employee

Re: Assymetrical NAT issue

Hello,

It seems like when the traffic from inside comes to DMZ2, it will take DMZ2

interface IP. But when you are trying to access the inside server from DMZ2,

you are trying its original IP address. Please try the following:

access-list inside_nat0_outbound permit ip "inside subnet" "mask" host "DMZ2

Server IP"

This will ensure that the inside devices use their own IP when communicating

with the DMZ2 server. That should address the error message you are getting.

Hope this helps.

Regards,

NT

New Member

Re: Assymetrical NAT issue

Thanks i will test it !

392
Views
0
Helpful
7
Replies
This widget could not be displayed.