Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT reverse path issue on ASA 8.3

Tonight we upgraded our ASA from 8.2.2 to 8.3.1 and for the most part things are working ok but we are having some pretty significant issues related to nat exemption.  In our situation the remote vpn network is 10.100.100.0/24 and the internal network I am trying to reach could be 192.168.1.0/24 or 10.11.1.0/24.

The ASA is continuously spitting out error messages such as this:

Jul 21 2010 01:56:32: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.100.100.7 dst inside:192.168.1.18 (type 8, code 0) denied due to NAT reverse path failure

I have read other posts with any kind of resolution but some have suggested that I might essentially have duplicate entries for either the remote or internal networks.  I have posted my nat code below.  The P.P.P.x syntax would suggest a public IP address is being used...

Thanks for any help that can be provided.

nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.0.0.0 obj-10.0.0.0
nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0
nat (outside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-192.168.0.0 obj-192.168.0.0
nat (outside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.0.0.0 obj-10.0.0.0
nat (outside,dmz) source static obj-192.168.1.4 obj-192.168.20.1 destination static obj-P.P.P.23 obj-10.10.4.23
nat (dmz,outside) source dynamic obj-10.10.4.0 obj-192.168.25.2 destination static obj-192.168.20.1 obj-192.168.1.4
nat (inside,any) source static any any destination static obj-10.10.4.0 obj-10.10.4.0
nat (inside,any) source static any any destination static obj-10.100.100.0 obj-10.100.100.0
nat (inside,any) source static any any destination static DK-Chicago DK-Chicago
nat (inside,any) source static any any destination static obj-192.168.15.0 obj-192.168.15.0
nat (inside,any) source static any any destination static obj-10.10.20.0 obj-10.10.20.0
nat (inside,any) source static any any destination static obj-192.168.160.0 obj-192.168.160.0
nat (inside,any) source static any any destination static obj-192.168.16.0 obj-192.168.16.0
nat (inside,any) source static any any destination static obj-192.168.18.0 obj-192.168.18.0
nat (inside,any) source static any any destination static obj-172.30.254.0 obj-172.30.254.0
nat (inside,any) source static any any destination static obj-172.30.254.128 obj-172.30.254.128
nat (inside,any) source static any any destination static obj-10.16.0.0 obj-10.16.0.0
nat (inside,any) source static any any destination static obj-10.9.0.0 obj-10.9.0.0
nat (inside,any) source static any any destination static obj-10.2.0.0 obj-10.2.0.0
nat (inside,any) source static any any destination static obj-192.168.2.0 obj-192.168.2.0
nat (inside,any) source static any any destination static obj-192.168.200.0 obj-192.168.200.0
nat (inside,any) source static any any destination static obj-192.168.140.0 obj-192.168.140.0
nat (inside,any) source static dk-cryptoacl dk-cryptoacl destination static obj-10.0.0.0 obj-10.0.0.0
nat (inside,any) source static dk-cryptoacl dk-cryptoacl destination static PillarOakParkLAN-10.1.10.0 PillarOakParkLAN-10.1.10.0
nat (inside,outside) source dynamic obj-192.168.1.0 obj-192.168.25.1 destination static obj-192.168.20.1 obj-192.168.20.1
nat (dmz,outside) source static any any destination static obj-10.100.100.0 obj-10.100.100.0
nat (dmz,outside) source static any any destination static DK-Chicago DK-Chicago
nat (dmz,outside) source static any any destination static obj-192.168.18.0 obj-192.168.18.0
nat (dmz,outside) source static any any destination static obj-192.168.15.0 obj-192.168.15.0
nat (dmz,outside) source static any any destination static obj-10.10.20.0 obj-10.10.20.0
nat (dmz,outside) source static any any destination static obj-192.168.160.0 obj-192.168.160.0
nat (dmz,outside) source static any any destination static obj-192.168.16.0 obj-192.168.16.0
nat (dmz,outside) source static any any destination static obj-10.16.0.0 obj-10.16.0.0
nat (dmz,outside) source static any any destination static obj-10.9.0.0 obj-10.9.0.0
nat (dmz,outside) source static any any destination static obj-10.2.0.0 obj-10.2.0.0
nat (dmz,outside) source static any any destination static obj-192.168.140.0 obj-192.168.140.0
nat (dmz,outside) source static any any destination static PillarOakParkLAN-10.1.10.0 PillarOakParkLAN-10.1.10.0
nat (dmz,outside) source static any any destination static obj-10.0.0.0 obj-10.0.0.0
nat (dmz,dmz) source static any any destination static obj-10.100.100.0 obj-10.100.100.0
nat (dmz,dmz) source static any any destination static DK-Chicago DK-Chicago
nat (dmz,dmz) source static any any destination static obj-192.168.18.0 obj-192.168.18.0
nat (dmz,dmz) source static any any destination static obj-192.168.15.0 obj-192.168.15.0
nat (dmz,dmz) source static any any destination static obj-10.10.20.0 obj-10.10.20.0
nat (dmz,dmz) source static any any destination static obj-192.168.160.0 obj-192.168.160.0
nat (dmz,dmz) source static any any destination static obj-192.168.16.0 obj-192.168.16.0
nat (dmz,dmz) source static any any destination static obj-10.16.0.0 obj-10.16.0.0
nat (dmz,dmz) source static any any destination static obj-10.9.0.0 obj-10.9.0.0
nat (dmz,dmz) source static any any destination static obj-10.2.0.0 obj-10.2.0.0
nat (dmz,dmz) source static any any destination static obj-192.168.140.0 obj-192.168.140.0
nat (dmz,dmz) source static any any destination static PillarOakParkLAN-10.1.10.0 PillarOakParkLAN-10.1.10.0
nat (dmz,dmz) source static any any destination static obj-10.0.0.0 obj-10.0.0.0
nat (dmz,outside) source static obj-10.10.4.20 obj-P.P.P.20 dns
nat (dmz,outside) source static obj-10.10.4.21 obj-P.P.P.21 dns
nat (dmz,outside) source static obj-10.10.4.22 obj-P.P.P.22 dns
nat (dmz,outside) source static obj-10.10.4.24 obj-P.P.P.24 dns
nat (dmz,outside) source static obj-10.10.4.25 obj-P.P.P.25 dns
nat (dmz,outside) source static obj-10.10.4.26 obj-P.P.P.26 dns
nat (dmz,outside) source static obj-10.10.4.18 obj-P.P.P.28 dns
nat (dmz,outside) source static obj-10.10.4.30 obj-P.P.P.30 dns
nat (dmz,outside) source static obj-10.10.4.31 obj-P.P.P.31 dns
nat (dmz,outside) source static obj-10.10.4.32 obj-P.P.P.32 dns
nat (dmz,outside) source static obj-10.10.4.23 obj-P.P.P.23 dns
nat (dmz,outside) source dynamic obj-10.10.4.0 obj-192.168.25.2 destination static obj-192.168.20.1 obj-192.168.20.1
!
object network obj-192.168.1.4
nat (outside,inside) static 192.168.20.1
object network obj-192.168.1.18
nat (inside,outside) static P.P.P.18
object network obj-192.168.1.0
nat (inside,outside) dynamic P.P.P.100
object network obj-10.10.4.20
nat (dmz,outside) static P.P.P.20
object network obj-10.10.4.21
nat (dmz,outside) static P.P.P.21
object network obj-10.10.4.22
nat (dmz,outside) static P.P.P.22
object network obj-10.10.4.24
nat (dmz,outside) static P.P.P.24
object network obj-10.10.4.25
nat (dmz,outside) static P.P.P.25
object network obj-10.10.4.26
nat (dmz,outside) static P.P.P.26
object network obj-10.10.4.18
nat (dmz,outside) static P.P.P.28
object network obj-10.10.4.30
nat (dmz,outside) static P.P.P.30
object network obj-10.10.4.31
nat (dmz,outside) static P.P.P.31
object network obj-10.10.4.32
nat (dmz,outside) static P.P.P.32
object network obj-10.10.4.0
nat (dmz,outside) dynamic P.P.P.100
object network obj-192.168.1.4-01
nat (outside,dmz) static 192.168.20.1
object network obj-10.100.100.0
nat (outside,outside) dynamic P.P.P.100
object network obj-192.168.16.0
nat (inside,outside) dynamic P.P.P.100
object network obj-10.16.0.0
nat (inside,outside) dynamic P.P.P.100
object network obj-10.9.0.0
nat (inside,outside) dynamic P.P.P.100
object network obj-10.2.0.0
nat (inside,outside) dynamic P.P.P.100
object network obj-192.168.2.0
nat (inside,outside) dynamic P.P.P.100
object network obj-192.168.200.1
nat (inside,outside) dynamic P.P.P.100
object network obj-192.168.9.0
nat (inside,outside) dynamic P.P.P.100
object network obj-10.11.0.0
nat (inside,outside) dynamic P.P.P.100

2 REPLIES
Cisco Employee

Re: NAT reverse path issue on ASA 8.3

Hello,

From your configuration, I can see that there are few statics stating that 192.168.0.0 is on the outside interface

nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-10.0.0.0 obj-10.0.0.0
nat (outside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.0.0 obj-192.168.0.0
nat (outside,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-192.168.0.0 obj-192.168.0.0

I am not certain about the mask you are using. But if your mask is /16, then that explains the conflict.If you are using /16 mask, please rewrite these statics with specific network segments.

Hope this helps.

Regards,

NT

Cisco Employee

Re: NAT reverse path issue on ASA 8.3

Please see the document here, and let me know if it helps with this problem:

ASA NAT Migration problems when upgrading to 8.3; Syslog "%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows"

https://supportforums.cisco.com/docs/DOC-12569

3691
Views
0
Helpful
2
Replies