Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

denied due to NAT reverse path failure

I have an ASA5505 (base license, ASDM 7.1(3), ASA 9.(2), and am confused about the "denied due to NAT reverse path failure".

My IP schema is as follows:

INSIDE = 10.0.1.0/24

DMZ =172.16.0.0/24

VPN_Pool = 172.16.20.0/24

PROBLEM: Vpn users can connect to ASA but cannot reach anything on DMZ or LAN. 

TRIAGE: I have ran the packet tracer with the following output:

ALB-ASA# packet-tracer input inside tcp 172.16.20.2 1234 172.16.0.2 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.255.255.0   DMZ

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6415, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

---------------------QUESTION ?

The error received is "...Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:172.16.20.1/52036(LOCAL\user) dst DMZ:172.16.0.2/3389 denied due to NAT reverse path failure."

What NAT rule(s) must I apply to allow users to access resources on LAN/DMZ?

Current NAT is as follows:

1 (DMZ) to (outside) source dynamic DMZ_NET interface
    translate_hits = 1623, untranslate_hits = 34
    Source - Origin: 172.16.0.0/27, Translated: (MY-real-IP-DELETED)/21
2 (inside) to (outside) source dynamic obj_any interface
    translate_hits = 2851, untranslate_hits = 121
    Source - Origin: 0.0.0.0/0, Translated: (MY-real-IP-DELETED)/21

 

THANKS IN ADVANCE FOR HELP!!!

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

The address pool for VPN

The address pool for VPN users needs to have a NAT exemption for any DMZ or inside networks they will be using. They appear as outside addresses (even though they are assigned a local private IP address) based on their ingress interface.

As such, without a NAT exemption, return traffic to them is NATted by one of your two NAT rules above (while the incoming traffic was not NATted). Thus the "Asymmetric NAT rules matched for forward and reverse flows" message.

Your packet tracer specified them as inside and thus you got a false positive indication that the traffic would be allowed.

4 REPLIES
Hall of Fame Super Silver

The address pool for VPN

The address pool for VPN users needs to have a NAT exemption for any DMZ or inside networks they will be using. They appear as outside addresses (even though they are assigned a local private IP address) based on their ingress interface.

As such, without a NAT exemption, return traffic to them is NATted by one of your two NAT rules above (while the incoming traffic was not NATted). Thus the "Asymmetric NAT rules matched for forward and reverse flows" message.

Your packet tracer specified them as inside and thus you got a false positive indication that the traffic would be allowed.

New Member

Marvin,  Thank you for

Marvin,

  Thank you for getting back to me on this - you were 100% correct!!

I added the following "nat exemption" rules, totally resolved my issues!...

nat (DMZ,outside) source static DMZ_Net DMZ_Net destination static vpnhosts vpnhosts

nat (inside,outside) source static insidenetwork insidenetwork destination static vpnhosts vpnhosts

oh, and as you also noted, I re-ran the packet tracer using "inside" instead of "outside" (from original posting) and verified also the "DROP" before I applied the fix noted here above, you were correct that that was what misguided me in the first place. It works (ALLOWED) after the fix (of course).

 

[...small reminder for other reading this, if you have a base license you cannot attach to both VLAN's (inside and DMZ)...you have to choose which network you intend to attach resources to, or buy a license..so don't be confused if you apply these fixes and can't reach one of them (i.e. INSIDE)...]

 

THANK YOU Marvin !!!!

 

 

Hi. I have the same issue.

Hi.

 

I have the same issue. Can I do except NAT from the ASDM?

 

Thanks !!

Hall of Fame Super Silver

NAT exemption is also known

NAT exemption is also known as Identity NAT. It can be setup in either cli or ASDM. Here is a link to the latest ASDM configuration guide section documenting how.

5786
Views
0
Helpful
4
Replies
CreatePlease to create content