Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Asymmetric NAT rules matched for forward and reverse

Hi Everyone,

I am seeing log messages in ASA

50443Feb 01 2014 23:16:58: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src X 10.31.x.x /28122 dst Y:172.16.0..0/514 denied due to NAT reverse path failure

   

Do i need to use no nat for traffic between interfaces X  and Y.

Current NAT is

sh run nat

nat (Y) 0 0.0.0.0 0.0.0.0

sh run static

static (Y,Z) 172.24.30.16 172.24.30.16 netmask 255.255.255.255

static Y,Z) 172.24.30.16 172.24.30.16  netmask 255.255.255.255

Regards

MAhesh

3 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Asymmetric NAT rules matched for forward and reverse

Hi Mahesh,

I think you need to clarify the situation as I am not sure what the situation is as you have edited the output yourself.

You mention the connection is coming from behind X.

You mention NAT configuration that has nothing to do with interface X. I guess it might be that you have no configurations for that interface then.

You would probably either need NAT0 configuration for the network behind interface X to be able to connect to destination networks behind Y

Or you might have to configure Static Identity NAT for the destination network

But I would really need to know the exact source and destination networks/hosts to know what kind of NAT configuration you need.

In general your error message tells us that the traffic matches different NAT rules depending on the direction of the traffic. Or traffic might not match any NAT rule in the initial direction and then match something in the reverse direction.

- Jouni

Super Bronze

Asymmetric NAT rules matched for forward and reverse

Hi,

Can you post the output of the following "packet-tracer" command

packet-tracer input X udp 12345 514

Use for example the IP addresses in the log message that you originally posted.

Would they have been the following you mention above?

packet-tracer input X udp 10.31.102.17 12345 172.16.0.21 514

- Jouni

Super Bronze

Asymmetric NAT rules matched for forward and reverse

Hi,

I wonder if the command given was correct as I would imagine the first log message doesnt refer to this situation.

Typically you would see this situation on a Multiple Context setup of ASA when you have an interface that is attached to more than 1 Security Context. This means its a shared interface.

You would probably also have this configuration on the System Context

no mac-address auto

Which means that each context that has this shared interface has an identical MAC address.

Therefore the ASA Security Context to which this connection should go to would have to have a NAT configuration for the destination IP address of the connection so it could classify the packet to the right Security Context.

But as I said I am not sure if the first log message relates to the output.

Could you share

  • The exact "packet-tracer" command used
  • The full output from that command
  • The output of "show route" from the Security Context through which this connection should go through

- Jouni

6 REPLIES
Super Bronze

Asymmetric NAT rules matched for forward and reverse

Hi Mahesh,

I think you need to clarify the situation as I am not sure what the situation is as you have edited the output yourself.

You mention the connection is coming from behind X.

You mention NAT configuration that has nothing to do with interface X. I guess it might be that you have no configurations for that interface then.

You would probably either need NAT0 configuration for the network behind interface X to be able to connect to destination networks behind Y

Or you might have to configure Static Identity NAT for the destination network

But I would really need to know the exact source and destination networks/hosts to know what kind of NAT configuration you need.

In general your error message tells us that the traffic matches different NAT rules depending on the direction of the traffic. Or traffic might not match any NAT rule in the initial direction and then match something in the reverse direction.

- Jouni

New Member

Asymmetric NAT rules matched for forward and reverse

Hi Jouni,

Yes source is interface X

DEstination is interface Y.

Earlier i posted the current config from the ASA which involves NAT.

X IP 10.31.102.17/28

Y 172.16.0.21

It is good if i use no nat.

Regards

MAhesh

Super Bronze

Asymmetric NAT rules matched for forward and reverse

Hi,

Can you post the output of the following "packet-tracer" command

packet-tracer input X udp 12345 514

Use for example the IP addresses in the log message that you originally posted.

Would they have been the following you mention above?

packet-tracer input X udp 10.31.102.17 12345 172.16.0.21 514

- Jouni

New Member

Asymmetric NAT rules matched for forward and reverse

Hi Jouni,

I tried above command

Result:

input-interface: External

input-status: up

input-line-status: up

Action: drop

Drop-reason: (ifc-classify) Virtual firewall classification failed

This ASA is in Active/Active multicontext mode.

Regards

MAhesh

Super Bronze

Asymmetric NAT rules matched for forward and reverse

Hi,

I wonder if the command given was correct as I would imagine the first log message doesnt refer to this situation.

Typically you would see this situation on a Multiple Context setup of ASA when you have an interface that is attached to more than 1 Security Context. This means its a shared interface.

You would probably also have this configuration on the System Context

no mac-address auto

Which means that each context that has this shared interface has an identical MAC address.

Therefore the ASA Security Context to which this connection should go to would have to have a NAT configuration for the destination IP address of the connection so it could classify the packet to the right Security Context.

But as I said I am not sure if the first log message relates to the output.

Could you share

  • The exact "packet-tracer" command used
  • The full output from that command
  • The output of "show route" from the Security Context through which this connection should go through

- Jouni

New Member

Asymmetric NAT rules matched for forward and reverse

Hi Jouni,

We added nat exemption ACL now all is good.

Best regards

Mahesh

225
Views
0
Helpful
6
Replies
CreatePlease login to create content