Solved: Asymmetric NAT rules matched

mahesh18 · ‎09-23-2013

Hi Everyone,

I am seeing logs in our internet firewall

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src dmz_visitor1:192.168.205.22/64428 dst X:10.0.0.33/161 denied due to NAT reverse path failure

where visitor is connected to our dmx with ip 192.168.205.22.

Where X is our internal interface of ASA.

Need to understand what does above log mean?

Can i ignore them?

Regards

Mahesh

Jouni Forss · ‎09-24-2013

Hi,

To me it seems that the host behind interface "X" 10.0.0.33 probably has some NAT configurations towards the interface "dmz_visitor1" interface from where the connection was sourced from with the source address 192.168.205.22.

So when the connection from 192.168.205.22 to 10.0.0.33 comes to the firewall on the firewall it doesnt see any matching NAT since the target IP is 10.0.0.33 but the reverse check for the IP 10.0.0.33 probably finds some NAT configuration that it matches and because of this its a Asymmetric NAT error and the ASA will drop the connection.

We would either need to see the NAT configurations or a "packet-tracer" of the above connection to say more about this.

- Jouni

View solution in original post

Jouni Forss · ‎09-25-2013

Hi,

There is some NAT configuration from interface "X" to interface "DMZ"

So when the connection is coming from the behind "DMZ" to a host behind "X" the ASA first sees that there is no NAT configured for this direction (NAT configuration that would apply on this direction). Then the ASA does a check for the reverse direction from "X" to "DMZ" and notices that there is a NAT configurations that applies to that.

Let me give an example from my own ASA.

Here is the basic information

Interface called "LAN" and "WLAN"
LAN network is 10.0.0.0/24
WLAN network is 10.0.255.0/24

Now in my setup I have no NAT configured between this these interfaces and all is fine for connection forming in both directions.

Now, I add a Dynamic PAT configuration for all traffic from WLAN to LAN with this command

nat (WLAN,LAN) after-auto source dynamic any interface

Now we have a NAT configuration that applies to any host on the network 10.0.255.0/24 behind interface WLAN when connecting to network 10.0.0.0/24 behind interface LAN

Now when I simulate a connection coming from a the LAN towards WLAN network with "packet-tracer" we can see what I have described earlier

ASA(config)# packet-tracer input LAN tcp 10.0.0.100 12345 10.0.255.100 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.0.255.0 255.255.255.0 WLAN

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group LAN-IN in interface LAN

access-list LAN-IN extended permit ip any4 any4

Additional Information:

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect http

service-policy global_policy global

Additional Information:

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (WLAN,LAN) after-auto source dynamic any interface

Additional Information:

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WLAN

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

So as we can see from the above output

ASA doesnt list any NAT phase where the source address from the LAN when connecting to the WLAN.
When the ASA check the reverse direction from WLAN to LAN it sees that there is a NAT configuration that applies and drops the packet.

So I would presume that you have some NAT configuration that matches the source address 10.0.0.33 (or its whole network) when the target/destination address is 192.168.205.22 (or its whole network)

So go through the NAT configurations AND/OR check the "packet-tracer" for the above failed connection and you will find the NAT configuration that causes the problem

packet-tracer input dmz_visitor1 udp 192.168.205.22 12345 10.0.0.33 161

Hope this made sense

- Jouni

View solution in original post

Jouni Forss · ‎09-24-2013

Hi,

To me it seems that the host behind interface "X" 10.0.0.33 probably has some NAT configurations towards the interface "dmz_visitor1" interface from where the connection was sourced from with the source address 192.168.205.22.

So when the connection from 192.168.205.22 to 10.0.0.33 comes to the firewall on the firewall it doesnt see any matching NAT since the target IP is 10.0.0.33 but the reverse check for the IP 10.0.0.33 probably finds some NAT configuration that it matches and because of this its a Asymmetric NAT error and the ASA will drop the connection.

We would either need to see the NAT configurations or a "packet-tracer" of the above connection to say more about this.

- Jouni

mahesh18 · ‎09-25-2013

Hi Jouni,

Seems port 161 is SNMP and it uses UDP.

So when you say traffic comes from Source in DMZ 192.x.x.x and for some reason it is trying to go to 10.0.0.33 which belongs to inside interface X of ASA there is no nat from DMZ to inside host 10.0.0.33 right?

When you say reverse check do you mean that path from source 10.0.0.33 to DMZ host 192.168.x.x ?

Which NAT config i need to check DMZ to Inside ?

Regards

Mahesh.

Jouni Forss · ‎09-25-2013

Hi,

There is some NAT configuration from interface "X" to interface "DMZ"

So when the connection is coming from the behind "DMZ" to a host behind "X" the ASA first sees that there is no NAT configured for this direction (NAT configuration that would apply on this direction). Then the ASA does a check for the reverse direction from "X" to "DMZ" and notices that there is a NAT configurations that applies to that.

Let me give an example from my own ASA.

Here is the basic information

Interface called "LAN" and "WLAN"
LAN network is 10.0.0.0/24
WLAN network is 10.0.255.0/24

Now in my setup I have no NAT configured between this these interfaces and all is fine for connection forming in both directions.

Now, I add a Dynamic PAT configuration for all traffic from WLAN to LAN with this command

nat (WLAN,LAN) after-auto source dynamic any interface

Now we have a NAT configuration that applies to any host on the network 10.0.255.0/24 behind interface WLAN when connecting to network 10.0.0.0/24 behind interface LAN

Now when I simulate a connection coming from a the LAN towards WLAN network with "packet-tracer" we can see what I have described earlier

ASA(config)# packet-tracer input LAN tcp 10.0.0.100 12345 10.0.255.100 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.0.255.0 255.255.255.0 WLAN

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group LAN-IN in interface LAN

access-list LAN-IN extended permit ip any4 any4

Additional Information:

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect http

service-policy global_policy global

Additional Information:

Phase: 6

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (WLAN,LAN) after-auto source dynamic any interface

Additional Information:

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WLAN

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

So as we can see from the above output

ASA doesnt list any NAT phase where the source address from the LAN when connecting to the WLAN.
When the ASA check the reverse direction from WLAN to LAN it sees that there is a NAT configuration that applies and drops the packet.

So I would presume that you have some NAT configuration that matches the source address 10.0.0.33 (or its whole network) when the target/destination address is 192.168.205.22 (or its whole network)

So go through the NAT configurations AND/OR check the "packet-tracer" for the above failed connection and you will find the NAT configuration that causes the problem

packet-tracer input dmz_visitor1 udp 192.168.205.22 12345 10.0.0.33 161

Hope this made sense

- Jouni

mahesh18 · ‎09-25-2013

Many thanks Jouni for detailed explanation

Best regards

MAhesh