11-04-2009 01:02 PM - edited 03-11-2019 09:36 AM
Hi All.
I have this problem. I manage a remote datacenter network from an ASA outside interface.
The same host must be accessed from outside by customers by its natted IP address (200.x.x.1) and, at same time, by staff by its real ip (10.x.x.1) âANDâ by its natted address. Until now no problem, I thought. I created a static nat and a nat exemption this way (10.x.50.0/24 is the staff network):
access-list NO-NAT extended permit ip host 10.x.2.1 10.x.50.0 255.255.255.0
nat (dmz) 0 access-list NO-NAT tcp 0 0 udp 0
static (dmz,outside) 200.x.x.1 10.x.x.1 netmask 255.255.255.255
But this way the machine can be accessed by its natted IP address by anyone, including staff. But it cannot be accessed by its real ip address. ASA 8.2 gives the following error message:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection protocol src xxxx/kk dest yyyy/jj denied due to NAT reverse path failure.
Is there any way to access a host using BOTH natted AND real IP address? Routers don't seem to bother with this.
Paulo Roque
11-04-2009 05:42 PM
You can have a look at this document which describes NAT order of operations.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
11-04-2009 05:52 PM
Is there any way to access a host using BOTH natted AND real IP address
If there is I am also curious if this is possible.
11-06-2009 01:06 PM
One possible solution is for the host to have 2 IP addresses. One is NATed to and the other is the 'real' IP.
Another solution might be to utilize an access-list with a static NAT. I'm not sure that this would work in your case though.
access-list NAT-acl extended permit ip host 10.x.2.1 10.x.50.0 255.255.255.0
static (dmz,outside) 10.x.x.1 access-list NAT-acl
static (dmz,outside) 200.x.x.1 10.x.x.1 netmask 255.255.255.255
Like I said, that may not work though.
11-07-2009 06:29 AM
cmcbrife,
I tried like you said. But it did not work. The problem is that when I ping the address 200.x.x.1, in the inbound direction the echo-request packet gets translated by the second rule, but the echo-reply in the opposite direction was translated by first rule Again asymmetric NAT.
Thx
Paulo Roque
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide