Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4923
Views
0
Helpful
6
Replies

Asymmetric NAT rules matched for forward and reverse flow

Go to solution
mahesh18
Level 6
Level 6

‎08-25-2013 07:16 AM - edited ‎03-11-2019 07:30 PM

Hi Everyone,

I  am pinging from switch connected to  outside interface of ASA  to the PC connected to the DMZ interface of ASA.

Switch had static route to the DMZ PC subnet.

Also ASA has ACL thats allow ping from  outside to DMZ  interface subnet ---192.168.70.0

Here is logs

: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.71.1 dst DMZ:192.168.70.10 (type 8, code 0) denied due to NAT reverse path failure

Here 192.168.71.1  is IP of switch interface directly connected to ASA.

192.168.70.10 is PC IP.

I know one way to do this is without using  NAT between DMZ and outside interface

Need to know if there is any other way that i can allow  ping from outside to PC subnet  in DMZ?

Regards

Mahesh

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-25-2013 07:21 AM

Hi Mahesh,

Would really need to see the NAT configurations.

Though at the moment it ofcourse seems that the traffic matches different NAT rules on the way in than on the way out.

Usually if you need to allow communications between 2 interfaces and 2 networks without NAT then you dont configure any NAT.

You might have some Dynamic PAT rule that is causing this problem so in that case you should probably configure NAT0 / NAT Exempt for the traffic between these 2 networks.

I am not sure what software version you are running.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎08-25-2013 07:37 AM

Hi,

So seems you are doing Dynamic NAT from "DMZ" to "outside"

This means that when you try to ICMP / PING the "DMZ" network directly from behind the "outside" interface, that traffic wont hit any NAT rule on the ASA, but the ICMP / PING reply from the "DMZ" will hit the Dynamic NAT rule that you mention. And this is why the traffic will be dropped.

You seem to have configure the "DMZ" Dynamic NAT to Section 1 of the NAT rules with Manual NAT.

This means we will have to configure a NAT0 / NAT Exempt type configuration for traffic to be able to pass without NAT between these networks you mention in the original post.

Something like this should do the trick

object network DMZ

subnet 192.168.70.0 255.255.255.0

object network OUTSIDE

subnet 192.168.71.0 255.255.255.0

nat (DMZ,outside) 1 source static DMZ DMZ destination static OUTSIDE OUTSIDE

That should enable using real addresses between these 2 networks.

All other traffic from "DMZ" to "outside" will continue using Dynamic NAT

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎08-25-2013 07:58 AM

Hi,

The ICMP from "outside" to "DMZ" wont match any NAT configuration you had since you only had the Dynamic NAT from "DMZ" to "outside". So if you used ICMP / PING from "DMZ" to "outside" then that NAT rule would be matched correctly (on both directions)

But when you are using ICMP / PING from "outside" to "DMZ" it doesnt match any NAT rule on the way in but on the way out it would match the Dynamic NAT and this is why you get the NAT error message.

I think the ICMP / PING probably doesnt reach the PC behind the "DMZ" interface. To my understanding the ASA does the check for both directions when the packet comes to the ASA and since there is a problem with the NAT it drops the packet.

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-25-2013 07:21 AM

Hi Mahesh,

Would really need to see the NAT configurations.

Though at the moment it ofcourse seems that the traffic matches different NAT rules on the way in than on the way out.

Usually if you need to allow communications between 2 interfaces and 2 networks without NAT then you dont configure any NAT.

You might have some Dynamic PAT rule that is causing this problem so in that case you should probably configure NAT0 / NAT Exempt for the traffic between these 2 networks.

I am not sure what software version you are running.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎08-25-2013 07:31 AM

Hi Jouni,

Version 9.1(1)

object network Auto_NAT_DMZ

subnet 192.168.70.0 255.255.255.0

description Auto NAT  DMZ Interface

object network Outside_pool

range 192.168.72.3 192.168.72.100

description DMZ_ Global

nat (DMZ,outside) source dynamic Auto_NAT_DMZ Outside_pool description Auto NAT DMZ Interface

So above is all NAT config for DMZ  where users behind DMZ  have IP 192.168.70.0  there source IP gets translated to

Global subnet 192.168.72.3  on the way out.

Regards

MAhesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎08-25-2013 07:37 AM

Hi,

So seems you are doing Dynamic NAT from "DMZ" to "outside"

This means that when you try to ICMP / PING the "DMZ" network directly from behind the "outside" interface, that traffic wont hit any NAT rule on the ASA, but the ICMP / PING reply from the "DMZ" will hit the Dynamic NAT rule that you mention. And this is why the traffic will be dropped.

You seem to have configure the "DMZ" Dynamic NAT to Section 1 of the NAT rules with Manual NAT.

This means we will have to configure a NAT0 / NAT Exempt type configuration for traffic to be able to pass without NAT between these networks you mention in the original post.

Something like this should do the trick

object network DMZ

subnet 192.168.70.0 255.255.255.0

object network OUTSIDE

subnet 192.168.71.0 255.255.255.0

nat (DMZ,outside) 1 source static DMZ DMZ destination static OUTSIDE OUTSIDE

That should enable using real addresses between these 2 networks.

All other traffic from "DMZ" to "outside" will continue using Dynamic NAT

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎08-25-2013 07:50 AM

Hi Jouni,

Need litte more understanding on this ---

When you said

This means that when you try to ICMP / PING the "DMZ"network directly from behind the "outside"interface, that traffic wont hit any NAT rule on the ASA,

Is this default behaviour?  or this is due to my NAT  rule?

Also when i  do the ping from outside the traffic reaches the PC  behind the DMZ interface right?

Regards

MAhesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎08-25-2013 07:58 AM

Hi,

The ICMP from "outside" to "DMZ" wont match any NAT configuration you had since you only had the Dynamic NAT from "DMZ" to "outside". So if you used ICMP / PING from "DMZ" to "outside" then that NAT rule would be matched correctly (on both directions)

But when you are using ICMP / PING from "outside" to "DMZ" it doesnt match any NAT rule on the way in but on the way out it would match the Dynamic NAT and this is why you get the NAT error message.

I think the ICMP / PING probably doesnt reach the PC behind the "DMZ" interface. To my understanding the ASA does the check for both directions when the packet comes to the ASA and since there is a problem with the NAT it drops the packet.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎08-25-2013 08:06 AM

Many thanks Again.

Best regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card