Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT reverse path failure after upgrading from 8.4(1) to 8.4(4.1)

Hello there,

after upgrading an ASA5520 from 8.4(1) to 8.4(4.1) I ran into the following trouble:

  • Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.149.21/53 dst inside:192.168.37.123/53  denied due to NAT reverse path failure
  • Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.150.157/53 dst inside:192.168.37.123/53   denied due to NAT reverse path failure
  • Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.137.93/53 dst inside:192.168.37.123/53   denied due to NAT reverse path failure
  • Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.215.9/53 dst inside:192.168.37.123/53   denied due to NAT reverse path failure
  • Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.216.11/53 dst inside:192.168.37.123/53   denied due to NAT reverse path failure
  • Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.146.7/53 dst inside:192.168.37.123/53   denied due to NAT reverse path failure
  • Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.148.2/53 dst inside:192.168.37.123/53   denied due to NAT reverse path failure
  • Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.145.1/53 dst inside:192.168.37.123/53   denied due to NAT reverse path failure
  • Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.147.5/53 dst inside:192.168.37.123/53   denied due to NAT reverse path failure

Everything worked fine before... I know about the problems when upgrading to 8.3 but didn't found a hint on upgrading from 8.4(1) to 8.4(4.1).

All the subnets mentioned above are conencted via VPN.

If anyone ran into this as well or has any clue please drop me a line...

Best regards,

Joerg

Everyone's tags (4)
6 REPLIES
Red

NAT reverse path failure after upgrading from 8.4(1) to 8.4(4.1)

Can you share your NAT configuration?

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Re: NAT reverse path failure after upgrading from 8.4(1) to 8.4(

Hi Varun,

thanks for the answer.

Attached you'll find the NAT configuration.

Thanks in advance,

Joerg

Red

NAT reverse path failure after upgrading from 8.4(1) to 8.4(4.1)

Can you tell me the name of the object for these two ip's??

192.168.149.21/53 192.168.37.123/53

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Re: NAT reverse path failure after upgrading from 8.4(1) to 8.4(

192.168.149.0/24 LAN-NewYork

192.168.37.0/17 LAN-Aix

You're welcome...

Best regards,

Joerg

Red

NAT reverse path failure after upgrading from 8.4(1) to 8.4(4.1)

I cannot see any nat statement from LAN-NewYork to LAN-Aix, are you missing any nat's after the upgrade, can you add a nat for this trafic as well?

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Re: NAT reverse path failure after upgrading from 8.4(1) to 8.4(

This is actually a working NAT with 8.4(1).

LAN-Aix is included in object-group Remote_Offices...

1183
Views
0
Helpful
6
Replies
CreatePlease login to create content