08-01-2014 02:13 PM - edited 03-11-2019 09:34 PM
Hi Everyone,
I an trying to connect PC to server on port say 4001 here are logs from firewall
: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src RX 172.24.150.15/1937 dst GY:172.31.50.1/4001 denied due to NAT reverse path failure.
I did packet tracer on ASA it shows that packet is dropped due to NAT.
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (GY) 0 0.0.0.0 0.0.0.0
match ip GY any RX any
identity NAT translation, pool 0
translate_hits = 0, untranslate_hits = 0
Additional Information:
Result:
input-interface: RX
input-status: up
input-line-status: up
output-interface: GY
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Need to know how can i fix this?
Regards
MAhesh
08-01-2014 08:11 PM
Mahesh,
Give us some configuration bits please.
Preferably the config file but "show run nat", " show route" and "show ip address" at least.
08-01-2014 09:13 PM
Hi Marvin,
Thanks for reply.
Here is info
sh run nat
nat (GY) 0 access-list GY_nat0_outbound
nat (GY) 0 0.0.0.0 0.0.0.0
sh ip shows
Gi0/2 GY 172.31.100.11 255.255.255.0 CONFIG
GigabitEthernet0/3 RX 172.24.254.78 255.255.255.240 manual
sh route shows
172.16.0.0 255.240.0.0 [1/0] via 172.31.100.254, GY
Let me know if you need any other info?
Regards
MAhesh
08-02-2014 06:52 AM
That NAT listing doesn't seem to make sense.
You have two "NAT 0" exemptions and no other NAT rules. In that scenario why have NAT configured at all?
08-02-2014 07:54 AM
Hi Marvin,
Under correct setup with present NAT config is there any way i can fix the NAT issue ?
Regards
Mahesh
08-02-2014 11:26 AM
As I understand it, your PC is sending from 172.24.150.15 and coming to the ASA via interface "RX".
According to the route and interface statements you provided, that subnet would be expected to be somewhere in the networks connected upstream of interface GY (due to "172.16.0.0 255.240.0.0" having been set as a static route out that interface).
So the RPF (Reverse Path Forwarding) would expect to not route the return packets back out the same interface they arrived on and thus they would fail RPF check as your log message is showing.
At a minimum, you should ad a route so that the ASA knows to send return traffic to the subnet where your PC is sitting back out interface RX. If you do that, the flow should be recognized as valid return traffic, be part of an un-NATted connection (per your NAT 0 commands), and be allowed to pass.
08-03-2014 10:19 AM
Hi Marvin,
Yes PC is connected to interface RX of ASA.
So source interface --or packet comes to ASA on interface RX.
Outgoing interface is GY as per current config.
So per current config Outgoing interface GY covers the source subnet also.
To fix this should i add below route on ASA
route RX 172.24.150.0 255.255.255.0 172.24.254.78
where 172.24.254.78 is interface RX IP address.
Regards
Mahesh
08-03-2014 10:55 AM
Mahesh,
Almost - make the next hop the gateway (L3 switch or router) address in the 172.24.254.64/28 network (includes addresses 172.24.254.64 - 172.24.254.79) that interface RX is connected to.
08-04-2014 06:56 AM
Hi Marvin,
I checked the routing and found that Firewall already has static route to
source PC IP via interface RX.Also Next hop is Layer 3 switch.
So as per current config this seems to be routing issue or NAT?
Regards
MAhesh
08-04-2014 09:11 AM
It's hard to say at this point.
Since you're telling me there's a route that you didn't mention earlier I wonder what else is going on that we haven't seen in this thread yet.
Is it possible to share the whole configuration (sanitized of course)?
08-10-2014 08:15 AM
Hi MArvin,
Seems to be issue with Natting.
When i put below NAT config
static (RX,GY) 0.0.0.0 0.0.0.0 and ran the packet tracer it showed that traffic
is passing via firewall now.
1>Does above static NAT means any source IP coming from int RX and going
to interface GY and vice versa do not no any NAT translations ???
Below is result of packet tracer
Config
static (RX,GY) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
match ip RX any GY any
static translation to 0.0.0.0
translate_hits = 2, untranslate_hits = 6105
Info
Static translate 0.0.0.0/0 to 0.0.0.0/0 using netmask 0.0.0.0
config
static (RX,GY) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
match ip RX any GY any
static translation to 0.0.0.0
translate_hits = 2, untranslate_hits = 6105
Type - NAT
Subtype - rpf-check
Action - ALLOW
Show rule in NAT Rules table.
Config
nat (GY) 0 0.0.0.0 0.0.0.0
match ip GY any RX any
identity NAT translation, pool 0
translate_hits = 5583, untranslate_hits = 1
Type - NAT
Subtype - host-limits
Action - ALLOW
Show rule in NAT Rules table.
Config
nat (GY) 0 0.0.0.0 0.0.0.0
match ip GY any GY any
identity NAT translation, pool 0
translate_hits = 0, untranslate_hits =
But above NAT config caused other issues in network where we were unable
to reach some servers connected to interface GY.
2>Need to understand how packet tracer shows 3 different NAT configs in its
result?
Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide