Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Asymmetric NAT rules matched for forward and reverse flows

We are trying to send netflow from our internet router (64.xx.xx.1) to an inside netflow collector (10.10.xx.81).

The following are flow export config and static ip route on internet router.

ip flow-export source GigabitEthernet0/1
ip flow-export version 9 peer-as
ip flow-export destination 10.10.xx.81 2055

ip route 10.10.xx.81 255.255.255.255 64.xx.xx.2 (64.xx.xx.2 is outside interface of ASA5520)

The following is ACL on ASA5520 which I see hits on.

access-list OUTSIDE extended permit udp host 64.xx.xx.1 host 10.10.xx.81 eq 2055

I now see the following log messages on ASA5520

5    Oct 22 2010    08:44:50        10.10.xx.81    2055            Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:64.xx.xx.1/50847 dst inside:10.10.xx.81/2055 denied due to NAT reverse path failure

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Asymmetric NAT rules matched for forward and reverse flows

Yes, you should use IP instead of UDP in the ACL you pasted.

12 REPLIES

Re: Asymmetric NAT rules matched for forward and reverse flows

Hi ,

try disabling the nat on ASA for the flows between the router and the host :

nat (inside) 0 access-list NONAT
access-list NONAT permit ip host 10.10.2.81 host 64.xx.xx.1

Dan

New Member

Re: Asymmetric NAT rules matched for forward and reverse flows

What would adding the following do?

access-list inside_nat0_outbound extended permit ip any 10.10.2.81 255.255.255.255

I added that and the log messages stopped happening and then I removed it and now I don’t see hits on the ACL anymore.

Re: Asymmetric NAT rules matched for forward and reverse flows

Can you paste a show run nat

New Member

Re: Asymmetric NAT rules matched for forward and reverse flows

For whatever reason after adding and then removing the following, I no longer see hits on ACL and nothing in log messages for 10.xx.xx.81 (collector IP).

access-list inside_nat0_outbound extended permit ip any 10.10.2.81 255.255.255.255

I changed interface names on the show nat below, hope that doesn’t confuse.

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

nat (ABC123) 168 192.168.0.0 255.255.0.0 outside

nat (DEF456) 0 access-list DEF456_nat0_dmzbound

nat (DEF456) 231 10.231.0.0 255.255.0.0

nat (DMZ) 0 access-list DMZ_nat0_outbound

nat (GHI789) 0 access-list GHI789_nat0_outbound

nat (JKL012) 0 access-list JKL012_nat0_outbound

Re: Asymmetric NAT rules matched for forward and reverse flows

You should configure

access-list inside_nat0_outbound extended permit udp host 10.10.2.81 host 64.x.x.1

Then check if the flows are received on the collector.

Dan

New Member

Re: Asymmetric NAT rules matched for forward and reverse flows

I added the suggested nat exempt and the collector is receiving flow.

I however do not see hits on the ACL on ASA5520. Is that normal?

Cisco Employee

Re: Asymmetric NAT rules matched for forward and reverse flows

Yeah, if you have a UDP flow up and passing traffic you will not see ACL incrementing, you would need to stop the flow and then you would see 1 increment while the flow was up. So, only the first udp netflow packet hits the ACL and then it goes through using the existing flow (no ACL hit).

I hope it makes sense.

PK

New Member

Re: Asymmetric NAT rules matched for forward and reverse flows

After adding that NAT exempt my view NAT view in ASDM looks different.

I used to see NAT exempts lumped together but things look different.

New Member

Re: Asymmetric NAT rules matched for forward and reverse flows

After adding the following command all the NAT exempt on inside interface were gone/not working. They would show up in cli but not in asdm. I had not saved changes so rebooting firewall brought things back to normal. Now I am a little nervous about adding the command again.

Could having it be protocol udp vs ip make a difference? All the other NAT exempt on inside interface are protocol ip.

access-list inside_nat0_outbound extended permit udp host 10.10.2.81 host 64.xx.xx.1

Should I try adding again or add it with protocol ip?

Thanks.

New Member

Re: Asymmetric NAT rules matched for forward and reverse flows

I am looking to see if I am comprehending correctly.  I have read that only the ip protocol is allowed in a NAT excempt access-list.  NAT excemption is evaluated on source and destination and not on IP protocols or port numbers.

Does that mean this config should use ip instead of udp?

access-list inside_nat0_outbound extended permit udphost 10.10.2.81 host 64.xx.xx.1

Thanks for clarification.

Bronze

Re: Asymmetric NAT rules matched for forward and reverse flows

Yes, you should use IP instead of UDP in the ACL you pasted.

Bronze

Re: Asymmetric NAT rules matched for forward and reverse flows

1 more thing, you won't see hit counts on this ACL.

For ex,

nat (inside) 0 access-list nat-exempt

access-list nat-exempt permit ip host x.x.x.x host y.y.y.y (hit count=0)

2866
Views
10
Helpful
12
Replies