topic ASA reverse NAT failure in Network Security

ASA reverse NAT failure

jwilder01 — Tue, 12 Mar 2019 06:18:38 GMT

I have a customer that has had issue with RDP. They try to RDP from 10.10.32.20 (LAN) to 10.1.2.248 (VPN external). I pulled the following from the logs:

Jul 21 2015 12:54:08: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.1.2.248/52943 dst outside:10.190.22.160/59894 denied due to NAT reverse path failure

# sh run nat
nat (outside) 0 access-list nonat_outside_VPN
nat (outside) 1 0.0.0.0 0.0.0.0
nat (InsideCET) 0 access-list InsideCET_nat0_outbound
nat (InsideCET) 99 access-list NAT-MAIL-OUT
nat (InsideCET) 1 10.250.1.0 255.255.255.0
nat (InsideCET) 1 172.16.12.0 255.255.255.0
nat (InsideCET) 1 10.1.0.0 255.255.0.0
nat (InsideCET) 1 10.10.0.0 255.255.0.0
nat (InsideCET) 1 10.200.0.0 255.255.0.0
nat (InsideCET) 1 172.16.0.0 255.255.0.0

#sh run global
global (outside) 1 interface
global (outside) 99 69.170.x.x

Is there something missing here or is more information required for help reviewing? Do I need to post my ACL's?

Appreciate the assistance.

Jason

The line:

Marvin Rhoads — Tue, 21 Jul 2015 20:56:11 GMT

The line:

     nat (InsideCET) 1 10.1.0.0 255.255.0.0

...includes the destination address (10.1.2.248). Can you tell us if the access-list "nonat_outside_VPN" has a more specific subnet defined within the 10.1.0.0/16 subnet?

A packet-tracer output would help. Try this:

     packet-tracer input InsideCNET tcp 10.10.32.20 1025 10.1.2.248 389

Marvin,Here is the packet

jwilder01 — Tue, 21 Jul 2015 21:03:04 GMT

Marvin,

Here is the packet tracer:

# packet-tracer input InsideCET tcp 10.10.32.20 1025 10.1.2.248 389

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.2.248 255.255.255.255 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group InsideCET_access_in in interface InsideCET
access-list InsideCET_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip InsideCET 10.0.0.0 255.0.0.0 outside 10.1.2.192 255.255.255.192
NAT exempt
translate_hits = 29843, untranslate_hits = 297575
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (InsideCET) 1 10.10.0.0 255.255.0.0
match ip InsideCET 10.10.0.0 255.255.0.0 outside any
dynamic translation to pool 1 (64.x.x.x [Interface PAT])
translate_hits = 7666989, untranslate_hits = 590795
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (InsideCET) 1 10.10.0.0 255.255.0.0
match ip InsideCET 10.10.0.0 255.255.0.0 outside any
dynamic translation to pool 1 (64.x.x.x [Interface PAT])
translate_hits = 7666990, untranslate_hits = 590795
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: HQF
Subtype: hierarchical-queueing
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (outside) 1 0.0.0.0 0.0.0.0
match ip outside any outside any
dynamic translation to pool 1 (64.x.x.x [Interface PAT])
translate_hits = 297872, untranslate_hits = 1
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 33102180, packet dispatched to next module

Result:
input-interface: InsideCET
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Here is NONAT info:

access-list nonat_outside_VPN extended permit ip 10.254.254.0 255.255.255.0 10.1.2.192 255.255.255.192
access-list nonat_outside_VPN extended permit ip 10.1.2.192 255.255.255.192 10.254.254.0 255.255.255.0
access-list nonat_outside_VPN extended permit ip 10.1.2.192 255.255.255.192 10.1.2.192 255.255.255.192
access-list nonat_outside_VPN extended permit ip 10.254.254.0 255.255.255.0 10.254.254.0 255.255.255.0

Thank you for your help.

Sorry - I was focusing on

Marvin Rhoads — Wed, 22 Jul 2015 12:58:12 GMT

Sorry - I was focusing on your config, not the syslog message.

The error message indicates:

Connection for udp src outside:10.1.2.248/52943 dst outside:10.190.22.160/59894 denied due to NAT reverse path failure

That indicates a failing source IP address is outside, not inside on the LAN. The flow from VPN to LAN should work per the packet-tracer above.

Are there other things to

jwilder01 — Wed, 22 Jul 2015 14:46:47 GMT

Are there other things to look at on the ASA that may impact RDP from the 10.10.32.20 to the VPN client?

Jason