Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Ping problem to this VLAN

Hi 

i have an ASA firewall configured with VLAN. All this while to configuration was OK and each server (VM) able to ping each other.

Then we start to configure NAT in the firewall. Somehow (2 days ago)  we realize that there is one server that we can't ping from other internal server.

Others server OK.

I have 4 VLAN (12,20,30,50)

i check the ASA log and found this 

"5 Oct 16 2014 11:38:48 10.1.12.30 10.1.20.2 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src VLAN12:10.1.12.30 dst VLAN20:10.1.20.2 (type 8, code 0) denied due to NAT reverse path failure"

What could be the NAT rules that prevent the icmp??? 

================================================

ASA Version 9.1(2) 
!
hostname ASHFW01
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 110.74.132.50 255.255.255.248 
!
interface GigabitEthernet0/1
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet0/1.1
 vlan 12
 nameif VLAN12
 security-level 100
 ip address 10.1.12.254 255.255.255.0 
!
interface GigabitEthernet0/1.2
 vlan 20
 nameif VLAN20
 security-level 100
 ip address 10.1.20.254 255.255.255.0 
!
interface GigabitEthernet0/1.3
 vlan 30
 nameif VLAN30
 security-level 100
 ip address 10.1.30.254 255.255.255.0 
!
interface GigabitEthernet0/1.4
 vlan 50
 nameif VLAN50
 security-level 100
 ip address 10.1.50.254 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
ftp mode passive
clock timezone SGT 8
dns domain-lookup VLAN12
dns domain-lookup VLAN20
dns domain-lookup VLAN30
dns domain-lookup VLAN50
dns server-group DefaultDNS
 name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network TerminalServer-RDP
 host 10.1.12.13
object network Exch-SMTP
 host 10.1.20.2
object network Exch-POP3
 host 10.1.20.2
object network Exch-SMTPS
 host 10.1.20.2
object network ExchServer-RDP
 host 10.1.20.2
object network MgmtSvr-RDP
 host 10.1.12.30
object network Exch-SMTP1
 host 10.1.20.2
object network Exch-HTTP
 host 10.1.20.2
object network Portal
 host 10.1.12.14
 description Portal
object service Portal80
 service tcp source eq www destination eq www 
 description Portal80
object service SalesMobile9090
 service tcp destination eq 9090 
 description SalesMobile9090
object network MgmtSvr
 host 10.1.12.30
object network TerminalServer
 host 10.1.12.13
object network ExchServer
object network ExchSvr
 host 10.1.20.2
object service smtp2
 service tcp destination eq 587 
object network SalesMobile
 host 10.1.12.14
 description SalesMobile
object-group service rdp tcp
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_1
 network-object object ExchSvr
 network-object object MgmtSvr
 network-object object TerminalServer
object-group service Exch-Services
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object tcp destination eq pop3 
 service-object object smtp2 
 service-object tcp destination eq smtp 
access-list outside_access_in extended permit icmp any4 any 
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group rdp 
access-list outside_access_in extended permit object-group Exch-Services any object ExchSvr 
access-list outside_access_in extended permit tcp any object Portal eq www 
access-list outside_access_in extended permit object SalesMobile9090 any object SalesMobile 
access-list outside_access_in extended deny ip any any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu VLAN12 1500
mtu VLAN20 1500
mtu VLAN30 1500
mtu VLAN50 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any VLAN12
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network TerminalServer-RDP
 nat (VLAN12,outside) static 110.74.132.51 service tcp 3389 3389 
object network Exch-SMTP
 nat (VLAN20,outside) static 110.74.132.52 service tcp smtp smtp 
object network Exch-POP3
 nat (VLAN20,outside) static 110.74.132.52 service tcp https https 
object network Exch-SMTPS
 nat (VLAN20,outside) static 110.74.132.52 service tcp 587 587 
object network ExchServer-RDP
 nat (VLAN20,outside) static 110.74.132.52 service tcp 3389 3389 
object network MgmtSvr-RDP
 nat (VLAN12,outside) static 110.74.132.53 service tcp 3389 3389 
object network Exch-SMTP1
 nat (VLAN20,outside) static 110.74.132.52 service tcp pop3 pop3 
object network Exch-HTTP
 nat (VLAN20,outside) static 110.74.132.52 service tcp www www 
object network Portal
 nat (VLAN12,outside) static 110.74.132.51 service tcp www www 
object network MgmtSvr
 nat (any,any) static 110.74.132.53
object network ExchSvr
 nat (any,any) static 110.74.132.52
object network SalesMobile
 nat (VLAN12,outside) static 110.74.132.51 service tcp 9090 9090 
!
nat (any,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside

==============================================================

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi,NAT statement is the issue

Hi,

NAT statement is the issue:-

object network ExchSvr
 nat (any,any) static 110.74.132.52
 
Change this to specific interfaces on the NAT and that should fix this issue for you.
 
If i am correct it should change to:-
 
nat (VLAN20,outside) static 110.74.132.52
 
Thanks and Regards,
Vibhor Amrodia
 
5 REPLIES
Cisco Employee

Hi,You can run this packet

Hi,

You can run this packet tracer on the ASA device to check:-

packet input VLAN12 icmp 10.1.12.30 8 0 10.1.20.2 det

Thanks and Regards,

Vibhor Amrodia

This is what i get===========

This is what i get

======================

Result of the command: "packet input VLAN12 icmp 10.1.12.30 8 0 10.1.20.2 det"
 
Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2a638790, priority=1, domain=permit, deny=false
hits=1375642, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=VLAN12, output_ifc=any
 
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.1.20.0       255.255.255.0   VLAN20
 
Phase: 3
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network MgmtSvr
 nat (any,any) static 110.74.132.53
Additional Information:
Static translate 10.1.12.30/0 to 110.74.132.53/0
 Forward Flow based lookup yields rule:
 in  id=0x7fff2a80b110, priority=6, domain=nat, deny=false
hits=1834, user_data=0x7fff2a8098c0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.1.12.30, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
 
Phase: 4
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2a7a09f0, priority=2, domain=permit, deny=false
hits=1827, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=VLAN12, output_ifc=any
 
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff29b81a90, priority=0, domain=nat-per-session, deny=true
hits=4666, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
 
Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2a640630, priority=0, domain=inspect-ip-options, deny=true
hits=9745, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=VLAN12, output_ifc=any
 
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2aefe1b0, priority=70, domain=inspect-icmp, deny=false
hits=1634, user_data=0x7fff2aefc550, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=VLAN12, output_ifc=any
 
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2a63ff60, priority=66, domain=inspect-icmp-error, deny=false
hits=1634, user_data=0x7fff2a63f4d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=VLAN12, output_ifc=any
 
Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network ExchSvr
 nat (any,any) static 110.74.132.52
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff2a80f780, priority=6, domain=nat-reverse, deny=false
hits=1271, user_data=0x7fff2a80db20, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=10.1.20.2, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
 
Result:
input-interface: VLAN12
input-status: up
input-line-status: up
output-interface: VLAN20
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Cisco Employee

Hi,NAT statement is the issue

Hi,

NAT statement is the issue:-

object network ExchSvr
 nat (any,any) static 110.74.132.52
 
Change this to specific interfaces on the NAT and that should fix this issue for you.
 
If i am correct it should change to:-
 
nat (VLAN20,outside) static 110.74.132.52
 
Thanks and Regards,
Vibhor Amrodia
 

I see now, object network

I see now, 

object network ExchSvr
 nat (any,any) static 110.74.132.52

 

Once i removed the nat (any,any) static 110.74.132.52, i'm able to ping to the destination.

The nat above is actually for me to ping from external to the public ip of 110.74.132.52.

If i remove the nat command above, how can i still ping to the public ip of 110.74.132.52 from external??

Cisco Employee

Hi,You still need that NAt

Hi,

You still need that NAt but with specific Interface Names in the NAT configuration.

object network ExchSvr
nat (VLAN20,outside) static 110.74.132.52

This should still help you to ping the Public IP from the internet.

Thanks and Regards,

Vibhor Amrodia

57
Views
0
Helpful
5
Replies
CreatePlease to create content