Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Asymmetric NAT rules matched

               Hi Everyone,

I am seeing logs in our internet firewall

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src dmz_visitor1:192.168.205.22/64428 dst X:10.0.0.33/161 denied due to NAT reverse path failure

where visitor is connected to our dmx with ip 192.168.205.22.

Where X is our internal interface  of ASA.

Need to understand what does above log mean?

Can i ignore them?

Regards

Mahesh

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Asymmetric NAT rules matched

Hi,

To me it seems that the host behind interface "X" 10.0.0.33 probably has some NAT configurations towards the interface "dmz_visitor1" interface from where the connection was sourced from with the source address 192.168.205.22.

So when the connection from 192.168.205.22 to 10.0.0.33 comes to the firewall on the firewall it doesnt see any matching NAT since the target IP is 10.0.0.33 but the reverse check for the IP 10.0.0.33 probably finds some NAT configuration that it matches and because of this its a Asymmetric NAT error and the ASA will drop the connection.

We would either need to see the NAT configurations or a "packet-tracer" of the above connection to say more about this.

- Jouni

Super Bronze

Re: Asymmetric NAT rules matched

Hi,

There is some NAT configuration from interface "X" to interface "DMZ"

So when the connection is coming from the behind "DMZ" to a host behind "X" the ASA first sees that there is no NAT configured for this direction (NAT configuration that would apply on this direction). Then the ASA does a check for the reverse direction from "X" to "DMZ" and notices that there is a NAT configurations that applies to that.

Let me give an example from my own ASA.

Here is the basic information

  • Interface called "LAN" and "WLAN"
  • LAN network is 10.0.0.0/24
  • WLAN network is 10.0.255.0/24

Now in my setup I have no NAT configured between this these interfaces and all is fine for connection forming in both directions.

Now, I add a Dynamic PAT configuration for all traffic from WLAN to LAN with this command

nat (WLAN,LAN) after-auto source dynamic any interface

Now we have a NAT configuration that applies to any host on the network 10.0.255.0/24 behind interface WLAN when connecting to network 10.0.0.0/24 behind interface LAN

Now when I simulate a connection coming from a the LAN towards WLAN network with "packet-tracer" we can see what I have described earlier

ASA(config)# packet-tracer input LAN tcp 10.0.0.100 12345 10.0.255.100 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.0.255.0      255.255.255.0   WLAN

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group LAN-IN in interface LAN

access-list LAN-IN extended permit ip any4 any4

Additional Information:

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect http

service-policy global_policy global

Additional Information:

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (WLAN,LAN) after-auto source dynamic any interface

Additional Information:

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WLAN

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

So as we can see from the above output

  • ASA doesnt list any NAT phase where the source address from the LAN when connecting to the WLAN.
  • When the ASA check the reverse direction from WLAN to LAN it sees that there is a NAT configuration that applies and drops the packet.

So I would presume that you have some NAT configuration that matches the source address 10.0.0.33 (or its whole network) when the target/destination address is 192.168.205.22 (or its whole network)

So go through the NAT configurations AND/OR check the "packet-tracer" for the above failed connection and you will find the NAT configuration that causes the problem

packet-tracer input dmz_visitor1 udp 192.168.205.22 12345 10.0.0.33 161

Hope this made sense

- Jouni

4 REPLIES
Super Bronze

Asymmetric NAT rules matched

Hi,

To me it seems that the host behind interface "X" 10.0.0.33 probably has some NAT configurations towards the interface "dmz_visitor1" interface from where the connection was sourced from with the source address 192.168.205.22.

So when the connection from 192.168.205.22 to 10.0.0.33 comes to the firewall on the firewall it doesnt see any matching NAT since the target IP is 10.0.0.33 but the reverse check for the IP 10.0.0.33 probably finds some NAT configuration that it matches and because of this its a Asymmetric NAT error and the ASA will drop the connection.

We would either need to see the NAT configurations or a "packet-tracer" of the above connection to say more about this.

- Jouni

New Member

Re: Asymmetric NAT rules matched

Hi Jouni,

Seems port 161 is SNMP and it uses UDP.

So when you say traffic comes from Source in DMZ 192.x.x.x and for some reason it is trying to go to 10.0.0.33 which belongs to inside interface X of ASA there is no nat from DMZ  to inside host 10.0.0.33 right?

When you say reverse check  do you mean that path from source 10.0.0.33  to DMZ  host 192.168.x.x ?

Which NAT  config i  need to check DMZ to Inside ?

Regards

Mahesh.

Super Bronze

Re: Asymmetric NAT rules matched

Hi,

There is some NAT configuration from interface "X" to interface "DMZ"

So when the connection is coming from the behind "DMZ" to a host behind "X" the ASA first sees that there is no NAT configured for this direction (NAT configuration that would apply on this direction). Then the ASA does a check for the reverse direction from "X" to "DMZ" and notices that there is a NAT configurations that applies to that.

Let me give an example from my own ASA.

Here is the basic information

  • Interface called "LAN" and "WLAN"
  • LAN network is 10.0.0.0/24
  • WLAN network is 10.0.255.0/24

Now in my setup I have no NAT configured between this these interfaces and all is fine for connection forming in both directions.

Now, I add a Dynamic PAT configuration for all traffic from WLAN to LAN with this command

nat (WLAN,LAN) after-auto source dynamic any interface

Now we have a NAT configuration that applies to any host on the network 10.0.255.0/24 behind interface WLAN when connecting to network 10.0.0.0/24 behind interface LAN

Now when I simulate a connection coming from a the LAN towards WLAN network with "packet-tracer" we can see what I have described earlier

ASA(config)# packet-tracer input LAN tcp 10.0.0.100 12345 10.0.255.100 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.0.255.0      255.255.255.0   WLAN

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group LAN-IN in interface LAN

access-list LAN-IN extended permit ip any4 any4

Additional Information:

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect http

service-policy global_policy global

Additional Information:

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (WLAN,LAN) after-auto source dynamic any interface

Additional Information:

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WLAN

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

So as we can see from the above output

  • ASA doesnt list any NAT phase where the source address from the LAN when connecting to the WLAN.
  • When the ASA check the reverse direction from WLAN to LAN it sees that there is a NAT configuration that applies and drops the packet.

So I would presume that you have some NAT configuration that matches the source address 10.0.0.33 (or its whole network) when the target/destination address is 192.168.205.22 (or its whole network)

So go through the NAT configurations AND/OR check the "packet-tracer" for the above failed connection and you will find the NAT configuration that causes the problem

packet-tracer input dmz_visitor1 udp 192.168.205.22 12345 10.0.0.33 161

Hope this made sense

- Jouni

New Member

Asymmetric NAT rules matched

Many thanks Jouni for detailed explanation

Best regards

MAhesh

257
Views
0
Helpful
4
Replies
CreatePlease to create content