Solved: Asymmetric NAT rules matched for forward and reverse

mahesh18 · ‎02-05-2014

Hi Everyone,

I am seeing log messages in ASA

50443

Feb 01 2014 23:16:58: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src X 10.31.x.x /28122 dst Y:172.16.0..0/514 denied due to NAT reverse path failure

Do i need to use no nat for traffic between interfaces X and Y.

Current NAT is

sh run nat

nat (Y) 0 0.0.0.0 0.0.0.0

sh run static

static (Y,Z) 172.24.30.16 172.24.30.16 netmask 255.255.255.255

static Y,Z) 172.24.30.16 172.24.30.16 netmask 255.255.255.255

Regards

MAhesh

Jouni Forss · ‎02-05-2014

Hi Mahesh,

I think you need to clarify the situation as I am not sure what the situation is as you have edited the output yourself.

You mention the connection is coming from behind X.

You mention NAT configuration that has nothing to do with interface X. I guess it might be that you have no configurations for that interface then.

You would probably either need NAT0 configuration for the network behind interface X to be able to connect to destination networks behind Y

Or you might have to configure Static Identity NAT for the destination network

But I would really need to know the exact source and destination networks/hosts to know what kind of NAT configuration you need.

In general your error message tells us that the traffic matches different NAT rules depending on the direction of the traffic. Or traffic might not match any NAT rule in the initial direction and then match something in the reverse direction.

- Jouni

View solution in original post

Jouni Forss · ‎02-06-2014

Hi,

Can you post the output of the following "packet-tracer" command

packet-tracer input X udp 12345 514

Use for example the IP addresses in the log message that you originally posted.

Would they have been the following you mention above?

packet-tracer input X udp 10.31.102.17 12345 172.16.0.21 514

- Jouni

View solution in original post

Jouni Forss · ‎02-06-2014

Hi,

I wonder if the command given was correct as I would imagine the first log message doesnt refer to this situation.

Typically you would see this situation on a Multiple Context setup of ASA when you have an interface that is attached to more than 1 Security Context. This means its a shared interface.

You would probably also have this configuration on the System Context

no mac-address auto

Which means that each context that has this shared interface has an identical MAC address.

Therefore the ASA Security Context to which this connection should go to would have to have a NAT configuration for the destination IP address of the connection so it could classify the packet to the right Security Context.

But as I said I am not sure if the first log message relates to the output.

Could you share

The exact "packet-tracer" command used
The full output from that command
The output of "show route" from the Security Context through which this connection should go through

- Jouni

View solution in original post

Jouni Forss · ‎02-05-2014

Hi Mahesh,

I think you need to clarify the situation as I am not sure what the situation is as you have edited the output yourself.

You mention the connection is coming from behind X.

You mention NAT configuration that has nothing to do with interface X. I guess it might be that you have no configurations for that interface then.

You would probably either need NAT0 configuration for the network behind interface X to be able to connect to destination networks behind Y

Or you might have to configure Static Identity NAT for the destination network

But I would really need to know the exact source and destination networks/hosts to know what kind of NAT configuration you need.

In general your error message tells us that the traffic matches different NAT rules depending on the direction of the traffic. Or traffic might not match any NAT rule in the initial direction and then match something in the reverse direction.

- Jouni

mahesh18 · ‎02-06-2014

Hi Jouni,

Yes source is interface X

DEstination is interface Y.

Earlier i posted the current config from the ASA which involves NAT.

X IP 10.31.102.17/28

Y 172.16.0.21

It is good if i use no nat.

Regards

MAhesh

Jouni Forss · ‎02-06-2014

Hi,

Can you post the output of the following "packet-tracer" command

packet-tracer input X udp 12345 514

Use for example the IP addresses in the log message that you originally posted.

Would they have been the following you mention above?

packet-tracer input X udp 10.31.102.17 12345 172.16.0.21 514

- Jouni

mahesh18 · ‎02-06-2014

Hi Jouni,

I tried above command

Result:

input-interface: External

input-status: up

input-line-status: up

Action: drop

Drop-reason: (ifc-classify) Virtual firewall classification failed

This ASA is in Active/Active multicontext mode.

Regards

MAhesh

Jouni Forss · ‎02-06-2014

Hi,

I wonder if the command given was correct as I would imagine the first log message doesnt refer to this situation.

Typically you would see this situation on a Multiple Context setup of ASA when you have an interface that is attached to more than 1 Security Context. This means its a shared interface.

You would probably also have this configuration on the System Context

no mac-address auto

Which means that each context that has this shared interface has an identical MAC address.

Therefore the ASA Security Context to which this connection should go to would have to have a NAT configuration for the destination IP address of the connection so it could classify the packet to the right Security Context.

But as I said I am not sure if the first log message relates to the output.

Could you share

The exact "packet-tracer" command used
The full output from that command
The output of "show route" from the Security Context through which this connection should go through

- Jouni

mahesh18 · ‎02-07-2014

Hi Jouni,

We added nat exemption ACL now all is good.

Best regards

Mahesh