Hi Marvin,

Thanks for reply.

Here is info

sh run nat

nat (GY) 0 access-list GY_nat0_outbound
nat (GY) 0 0.0.0.0 0.0.0.0

sh ip shows

 Gi0/2                 GY               172.31.100.11   255.255.255.0   CONFIG

GigabitEthernet0/3    RX          172.24.254.78   255.255.255.240 manual

sh route shows

172.16.0.0 255.240.0.0 [1/0] via 172.31.100.254, GY

Let me know if you need any other info?

Regards

MAhesh

That NAT listing doesn't seem to make sense.

You have two "NAT 0" exemptions and no other NAT rules. In that scenario why have NAT configured at all?

Hi Marvin,

Under correct setup with present NAT config is there any way i can fix the NAT issue ?

Regards

Mahesh

As I understand it, your PC is sending from 172.24.150.15 and coming to the ASA via interface "RX".

According to the route and interface statements you provided, that subnet would be expected to be somewhere in the networks connected upstream of interface GY (due to "172.16.0.0 255.240.0.0" having been set as a static route out that interface).

So the RPF (Reverse Path Forwarding) would expect to not route the return packets back out the same interface they arrived on and thus they would fail RPF check as your log message is showing.

At a minimum, you should ad a route so that the ASA knows to send return traffic to the subnet where your PC is sitting back out interface RX. If you do that, the flow should be recognized as valid return traffic, be part of an un-NATted connection (per your NAT 0 commands), and be allowed to pass.

Hi Marvin,

Yes PC is connected to interface RX of ASA.

So source interface --or packet comes to ASA on interface RX.

Outgoing interface is GY as per current config.

So per current config Outgoing interface GY covers the source subnet also.

To fix this should i add below route on ASA

route RX 172.24.150.0 255.255.255.0  172.24.254.78

where 172.24.254.78 is interface RX IP address.

Regards

Mahesh

Mahesh,

Almost - make the next hop the gateway (L3 switch or router) address in the 172.24.254.64/28 network (includes addresses 172.24.254.64 - 172.24.254.79) that interface RX is connected to.

Hi Marvin,

I checked the routing and found that Firewall already has static route to

source PC IP via  interface RX.Also Next hop is Layer 3 switch.

So as per current config  this seems to be routing issue or NAT?

Regards

MAhesh

It's hard to say at this point.

Since you're telling me there's a route that you didn't mention earlier I wonder what else is going on that we haven't seen in this thread yet.

Is it possible to share the whole configuration (sanitized of course)?

Hi MArvin,

Seems to be issue with Natting.

When i put below  NAT config

static (RX,GY) 0.0.0.0 0.0.0.0 and ran the packet tracer it showed that traffic

is passing via firewall now.

1>Does above static NAT means any source IP coming from int RX and going

to interface GY and vice versa do not no any NAT translations ???

Below is result of packet tracer

Config
static (RX,GY) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
match ip RX any GY any
static translation to 0.0.0.0
translate_hits = 2, untranslate_hits = 6105

Info
Static translate 0.0.0.0/0 to 0.0.0.0/0 using netmask 0.0.0.0

config
static (RX,GY) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
match ip RX any GY any
static translation to 0.0.0.0
translate_hits = 2, untranslate_hits = 6105

Type -     NAT
    Subtype -     rpf-check
    Action -     ALLOW
    Show rule in NAT Rules table.

Config
nat (GY) 0 0.0.0.0 0.0.0.0
match ip GY any RX any
identity NAT translation, pool 0
translate_hits = 5583, untranslate_hits = 1

Type -     NAT
    Subtype -     host-limits
    Action -     ALLOW
    Show rule in NAT Rules table.

Config
nat (GY) 0 0.0.0.0 0.0.0.0
match ip GY any GY any
identity NAT translation, pool 0
translate_hits = 0, untranslate_hits =

But above NAT config caused other issues in network where we were unable

to reach some servers connected to interface GY.

2>Need to understand how packet tracer shows 3 different NAT configs in its

result?

Regards

MAhesh