08-25-2013 07:16 AM - edited 03-11-2019 07:30 PM
Hi Everyone,
I am pinging from switch connected to outside interface of ASA to the PC connected to the DMZ interface of ASA.
Switch had static route to the DMZ PC subnet.
Also ASA has ACL thats allow ping from outside to DMZ interface subnet ---192.168.70.0
Here is logs
: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.71.1 dst DMZ:192.168.70.10 (type 8, code 0) denied due to NAT reverse path failure
Here 192.168.71.1 is IP of switch interface directly connected to ASA.
192.168.70.10 is PC IP.
I know one way to do this is without using NAT between DMZ and outside interface
Need to know if there is any other way that i can allow ping from outside to PC subnet in DMZ?
Regards
Mahesh
Solved! Go to Solution.
08-25-2013 07:21 AM
Hi Mahesh,
Would really need to see the NAT configurations.
Though at the moment it ofcourse seems that the traffic matches different NAT rules on the way in than on the way out.
Usually if you need to allow communications between 2 interfaces and 2 networks without NAT then you dont configure any NAT.
You might have some Dynamic PAT rule that is causing this problem so in that case you should probably configure NAT0 / NAT Exempt for the traffic between these 2 networks.
I am not sure what software version you are running.
- Jouni
08-25-2013 07:37 AM
Hi,
So seems you are doing Dynamic NAT from "DMZ" to "outside"
This means that when you try to ICMP / PING the "DMZ" network directly from behind the "outside" interface, that traffic wont hit any NAT rule on the ASA, but the ICMP / PING reply from the "DMZ" will hit the Dynamic NAT rule that you mention. And this is why the traffic will be dropped.
You seem to have configure the "DMZ" Dynamic NAT to Section 1 of the NAT rules with Manual NAT.
This means we will have to configure a NAT0 / NAT Exempt type configuration for traffic to be able to pass without NAT between these networks you mention in the original post.
Something like this should do the trick
object network DMZ
subnet 192.168.70.0 255.255.255.0
object network OUTSIDE
subnet 192.168.71.0 255.255.255.0
nat (DMZ,outside) 1 source static DMZ DMZ destination static OUTSIDE OUTSIDE
That should enable using real addresses between these 2 networks.
All other traffic from "DMZ" to "outside" will continue using Dynamic NAT
- Jouni
08-25-2013 07:58 AM
Hi,
The ICMP from "outside" to "DMZ" wont match any NAT configuration you had since you only had the Dynamic NAT from "DMZ" to "outside". So if you used ICMP / PING from "DMZ" to "outside" then that NAT rule would be matched correctly (on both directions)
But when you are using ICMP / PING from "outside" to "DMZ" it doesnt match any NAT rule on the way in but on the way out it would match the Dynamic NAT and this is why you get the NAT error message.
I think the ICMP / PING probably doesnt reach the PC behind the "DMZ" interface. To my understanding the ASA does the check for both directions when the packet comes to the ASA and since there is a problem with the NAT it drops the packet.
- Jouni
08-25-2013 07:21 AM
Hi Mahesh,
Would really need to see the NAT configurations.
Though at the moment it ofcourse seems that the traffic matches different NAT rules on the way in than on the way out.
Usually if you need to allow communications between 2 interfaces and 2 networks without NAT then you dont configure any NAT.
You might have some Dynamic PAT rule that is causing this problem so in that case you should probably configure NAT0 / NAT Exempt for the traffic between these 2 networks.
I am not sure what software version you are running.
- Jouni
08-25-2013 07:31 AM
Hi Jouni,
Version 9.1(1)
object network Auto_NAT_DMZ
subnet 192.168.70.0 255.255.255.0
description Auto NAT DMZ Interface
object network Outside_pool
range 192.168.72.3 192.168.72.100
description DMZ_ Global
nat (DMZ,outside) source dynamic Auto_NAT_DMZ Outside_pool description Auto NAT DMZ Interface
So above is all NAT config for DMZ where users behind DMZ have IP 192.168.70.0 there source IP gets translated to
Global subnet 192.168.72.3 on the way out.
Regards
MAhesh
08-25-2013 07:37 AM
Hi,
So seems you are doing Dynamic NAT from "DMZ" to "outside"
This means that when you try to ICMP / PING the "DMZ" network directly from behind the "outside" interface, that traffic wont hit any NAT rule on the ASA, but the ICMP / PING reply from the "DMZ" will hit the Dynamic NAT rule that you mention. And this is why the traffic will be dropped.
You seem to have configure the "DMZ" Dynamic NAT to Section 1 of the NAT rules with Manual NAT.
This means we will have to configure a NAT0 / NAT Exempt type configuration for traffic to be able to pass without NAT between these networks you mention in the original post.
Something like this should do the trick
object network DMZ
subnet 192.168.70.0 255.255.255.0
object network OUTSIDE
subnet 192.168.71.0 255.255.255.0
nat (DMZ,outside) 1 source static DMZ DMZ destination static OUTSIDE OUTSIDE
That should enable using real addresses between these 2 networks.
All other traffic from "DMZ" to "outside" will continue using Dynamic NAT
- Jouni
08-25-2013 07:50 AM
Hi Jouni,
Need litte more understanding on this ---
When you said
This means that when you try to ICMP / PING the "DMZ"network directly from behind the "outside"interface, that traffic wont hit any NAT rule on the ASA,
Is this default behaviour? or this is due to my NAT rule?
Also when i do the ping from outside the traffic reaches the PC behind the DMZ interface right?
Regards
MAhesh
08-25-2013 07:58 AM
Hi,
The ICMP from "outside" to "DMZ" wont match any NAT configuration you had since you only had the Dynamic NAT from "DMZ" to "outside". So if you used ICMP / PING from "DMZ" to "outside" then that NAT rule would be matched correctly (on both directions)
But when you are using ICMP / PING from "outside" to "DMZ" it doesnt match any NAT rule on the way in but on the way out it would match the Dynamic NAT and this is why you get the NAT error message.
I think the ICMP / PING probably doesnt reach the PC behind the "DMZ" interface. To my understanding the ASA does the check for both directions when the packet comes to the ASA and since there is a problem with the NAT it drops the packet.
- Jouni
08-25-2013 08:06 AM
Many thanks Again.
Best regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide