09-23-2013 02:08 PM - edited 03-11-2019 07:42 PM
Hi Everyone,
I am seeing logs in our internet firewall
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src dmz_visitor1:192.168.205.22/64428 dst X:10.0.0.33/161 denied due to NAT reverse path failure
where visitor is connected to our dmx with ip 192.168.205.22.
Where X is our internal interface of ASA.
Need to understand what does above log mean?
Can i ignore them?
Regards
Mahesh
Solved! Go to Solution.
09-24-2013 12:30 AM
Hi,
To me it seems that the host behind interface "X" 10.0.0.33 probably has some NAT configurations towards the interface "dmz_visitor1" interface from where the connection was sourced from with the source address 192.168.205.22.
So when the connection from 192.168.205.22 to 10.0.0.33 comes to the firewall on the firewall it doesnt see any matching NAT since the target IP is 10.0.0.33 but the reverse check for the IP 10.0.0.33 probably finds some NAT configuration that it matches and because of this its a Asymmetric NAT error and the ASA will drop the connection.
We would either need to see the NAT configurations or a "packet-tracer" of the above connection to say more about this.
- Jouni
09-25-2013 01:05 PM
Hi,
There is some NAT configuration from interface "X" to interface "DMZ"
So when the connection is coming from the behind "DMZ" to a host behind "X" the ASA first sees that there is no NAT configured for this direction (NAT configuration that would apply on this direction). Then the ASA does a check for the reverse direction from "X" to "DMZ" and notices that there is a NAT configurations that applies to that.
Let me give an example from my own ASA.
Here is the basic information
Now in my setup I have no NAT configured between this these interfaces and all is fine for connection forming in both directions.
Now, I add a Dynamic PAT configuration for all traffic from WLAN to LAN with this command
nat (WLAN,LAN) after-auto source dynamic any interface
Now we have a NAT configuration that applies to any host on the network 10.0.255.0/24 behind interface WLAN when connecting to network 10.0.0.0/24 behind interface LAN
Now when I simulate a connection coming from a the LAN towards WLAN network with "packet-tracer" we can see what I have described earlier
ASA(config)# packet-tracer input LAN tcp 10.0.0.100 12345 10.0.255.100 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.255.0 255.255.255.0 WLAN
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group LAN-IN in interface LAN
access-list LAN-IN extended permit ip any4 any4
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (WLAN,LAN) after-auto source dynamic any interface
Additional Information:
Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: WLAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
So as we can see from the above output
So I would presume that you have some NAT configuration that matches the source address 10.0.0.33 (or its whole network) when the target/destination address is 192.168.205.22 (or its whole network)
So go through the NAT configurations AND/OR check the "packet-tracer" for the above failed connection and you will find the NAT configuration that causes the problem
packet-tracer input dmz_visitor1 udp 192.168.205.22 12345 10.0.0.33 161
Hope this made sense
- Jouni
09-24-2013 12:30 AM
Hi,
To me it seems that the host behind interface "X" 10.0.0.33 probably has some NAT configurations towards the interface "dmz_visitor1" interface from where the connection was sourced from with the source address 192.168.205.22.
So when the connection from 192.168.205.22 to 10.0.0.33 comes to the firewall on the firewall it doesnt see any matching NAT since the target IP is 10.0.0.33 but the reverse check for the IP 10.0.0.33 probably finds some NAT configuration that it matches and because of this its a Asymmetric NAT error and the ASA will drop the connection.
We would either need to see the NAT configurations or a "packet-tracer" of the above connection to say more about this.
- Jouni
09-25-2013 12:52 PM
Hi Jouni,
Seems port 161 is SNMP and it uses UDP.
So when you say traffic comes from Source in DMZ 192.x.x.x and for some reason it is trying to go to 10.0.0.33 which belongs to inside interface X of ASA there is no nat from DMZ to inside host 10.0.0.33 right?
When you say reverse check do you mean that path from source 10.0.0.33 to DMZ host 192.168.x.x ?
Which NAT config i need to check DMZ to Inside ?
Regards
Mahesh.
09-25-2013 01:05 PM
Hi,
There is some NAT configuration from interface "X" to interface "DMZ"
So when the connection is coming from the behind "DMZ" to a host behind "X" the ASA first sees that there is no NAT configured for this direction (NAT configuration that would apply on this direction). Then the ASA does a check for the reverse direction from "X" to "DMZ" and notices that there is a NAT configurations that applies to that.
Let me give an example from my own ASA.
Here is the basic information
Now in my setup I have no NAT configured between this these interfaces and all is fine for connection forming in both directions.
Now, I add a Dynamic PAT configuration for all traffic from WLAN to LAN with this command
nat (WLAN,LAN) after-auto source dynamic any interface
Now we have a NAT configuration that applies to any host on the network 10.0.255.0/24 behind interface WLAN when connecting to network 10.0.0.0/24 behind interface LAN
Now when I simulate a connection coming from a the LAN towards WLAN network with "packet-tracer" we can see what I have described earlier
ASA(config)# packet-tracer input LAN tcp 10.0.0.100 12345 10.0.255.100 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.255.0 255.255.255.0 WLAN
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group LAN-IN in interface LAN
access-list LAN-IN extended permit ip any4 any4
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (WLAN,LAN) after-auto source dynamic any interface
Additional Information:
Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: WLAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
So as we can see from the above output
So I would presume that you have some NAT configuration that matches the source address 10.0.0.33 (or its whole network) when the target/destination address is 192.168.205.22 (or its whole network)
So go through the NAT configurations AND/OR check the "packet-tracer" for the above failed connection and you will find the NAT configuration that causes the problem
packet-tracer input dmz_visitor1 udp 192.168.205.22 12345 10.0.0.33 161
Hope this made sense
- Jouni
09-25-2013 01:33 PM
Many thanks Jouni for detailed explanation
Best regards
MAhesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: