Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

asymmetric nat?

Hi All.

I have this problem. I manage a remote datacenter network from an ASA outside interface.

The same host must be accessed from outside by customers by its natted IP address (200.x.x.1) and, at same time, by staff by its real ip (10.x.x.1) “AND” by its natted address. Until now no problem, I thought. I created a static nat and a nat exemption this way (10.x.50.0/24 is the staff network):

access-list NO-NAT extended permit ip host 10.x.2.1 10.x.50.0 255.255.255.0

nat (dmz) 0 access-list NO-NAT tcp 0 0 udp 0

static (dmz,outside) 200.x.x.1 10.x.x.1 netmask 255.255.255.255

But this way the machine can be accessed by its natted IP address by anyone, including staff. But it cannot be accessed by its real ip address. ASA 8.2 gives the following error message:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection protocol src xxxx/kk dest yyyy/jj denied due to NAT reverse path failure.

Is there any way to access a host using BOTH natted AND real IP address? Routers don't seem to bother with this.

Paulo Roque

4 REPLIES
New Member

Re: asymmetric nat?

You can have a look at this document which describes NAT order of operations.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

New Member

Re: asymmetric nat?

Is there any way to access a host using BOTH natted AND real IP address

If there is I am also curious if this is possible.

New Member

Re: asymmetric nat?

One possible solution is for the host to have 2 IP addresses. One is NATed to and the other is the 'real' IP.

Another solution might be to utilize an access-list with a static NAT. I'm not sure that this would work in your case though.

access-list NAT-acl extended permit ip host 10.x.2.1 10.x.50.0 255.255.255.0

static (dmz,outside) 10.x.x.1 access-list NAT-acl

static (dmz,outside) 200.x.x.1 10.x.x.1 netmask 255.255.255.255

Like I said, that may not work though.

New Member

Re: asymmetric nat?

cmcbrife,

I tried like you said. But it did not work. The problem is that when I ping the address 200.x.x.1, in the inbound direction the echo-request packet gets translated by the second rule, but the echo-reply in the opposite direction was translated by first rule Again asymmetric NAT.

Thx

Paulo Roque

430
Views
0
Helpful
4
Replies