topic Hi Jouni, The ASA Version is in Network Security

Denied due to NAT reverse path failure

Adam Handley — Tue, 12 Mar 2019 05:10:08 GMT

Hi,

I have a really annoying issue with Natting on a Cisco ASA Firewall.

I have an Internal device which needs to talk to a device which is in the DMZ. The routing etc is fine, they can communicate with each other. The issue is, the device in the DMZ also needs external access so I have set it up with a NAT. Once i set it up with the NAT it allows external access but stops internal access. I get the following error:

2014-12-02 08:02:04 local4.notice 10.182.15.80 %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src Inside:10.182.16.45/61264 dst DMZ:192.168.150.60/24 denied due to NAT reverse path failure\n

I can manipulate the advanced NAT settings to allow the two devices to speak but I then lose external connection to the device in the DMZ.

Any ideas how I get away from this NAT reverse path failure?

Thanks in advance.

Adam

Hi, From the looks of it you

Jouni Forss — Tue, 02 Dec 2014 09:15:30 GMT

Hi,

From the looks of it you are using a software level 8.2 (or below) on the ASA.

From what I gather you have configured a "nat" statement for the "DMZ" interface which now catches both the Internet and the Internal traffic.

Typically in this case you would have to configure a Static Identity NAT to avoid the connection attemps between the "DMZ" and "Inside" from being matched to the "nat" command you have added.

I would assume it should look something like this

static (DMZ,Inside) 192.168.150.0 192.168.150.0 netmask 255.255.255.0

Ofcourse the subnet address and the mask might be something different than above but that should be the format.

If we saw the current configuration we might be able to more accurately determine if there are any other problems.

Hope this helps 🙂

- Jouni

Hi Jouni, The ASA Version is

Adam Handley — Tue, 02 Dec 2014 09:45:38 GMT

Hi Jouni,

The ASA Version is 9.1(1), ASDM Version 7.1(1).

It states that 'Static' command has now been deprecated, what would be the new command to enter? Its not very often i go into the command line, majority of the configuration/maintenance is done through ASDM.

Thanks for the help.

Adam

Hi, Ok, so you are actually

Jouni Forss — Tue, 02 Dec 2014 09:59:24 GMT

Hi,

Ok, so you are actually using the newer software with the new NAT configuration format.

Well then it seems like you have possibly missconfigured some Dynamic NAT/PAT rule since in the newer softwares (8.3 and above) there is no real need to configure any NAT that would apply between internal interfaces (like LAN <-> DMZ). NAT is typically only configured referencing an internal and external interface.

I would really need to see the output of

show run nat

and possibly if the used "object" and "object-group" dont describe the subnet configured under them I would need some outputs from those objects

for example if you want to list all the "object" and "object-group" then you can use

show run object network

show run object-group network

or if you want to view the configurations of specific objects then you can use

show run object id <object name>

show run object-group id <object name>

I guess it might be possible that you have configured a Dynamic translation and used "any" parameter in the "nat" commands which would cause this behaviour.

- Jouni

#Show run natobject network

Adam Handley — Tue, 02 Dec 2014 10:09:09 GMT

#Show run nat

object network Sophos_Encrypt
nat (Inside,DMZ) static 217.16.11.52

This is the one that affects whether i can get internal or external access. If I leave it on (Any, Any) then it allows external access only. If i have it on (Inside, DMZ) then it allows internal access only.

#sh run object id Sophos_Encrypt
object network Sophos_Encrypt
host 192.168.150.60

Thanks

Adam

Hi, The above NAT

Jouni Forss — Tue, 02 Dec 2014 11:23:00 GMT

Hi,

The above NAT configuration does Static NAT from "Inside" to "DMZ". It translates a private "Inside" address to a public IP address towards "DMZ"

Unless there is some specific need I would suggest not doing any NAT between "Inside" and "DMZ"

Unless the NAT configuration is large could you share the whole NAT configuration (remove any sensitive information)

I would also need a specific description on which kind of translations you want to achieve.

For example a typical small setup with LAN and DMZ might follow the below logic in its NAT configurations

Dynamic PAT for all Internal interfaces (LAN&DMZ) towards the external network
Static NAT or Static PAT configurations from DMZ (or LAN) towards the external network
No NAT configurations between internal interfaces

Lets say you had requirement for only Dynamic PAT for all internal subnets and one Static NAT for the DMZ then the configuration might look like this

Dynamic PAT

nat (any,outside) after-auto source dynamic any interface

Static NAT

object network STATIC-DMZ
host <internal ip>
nat (dmz,outside) static <public ip>

In the above the Dynamic PAT would guarantee that any host behind the internal interfaces would have a translation rule. The Static NAT configuration would bind one DMZ hosts internal IP address to a public IP address towards the external network only. This would enable accessing the server from external network.

- Jouni

Thanks Jouni, really

Adam Handley — Tue, 02 Dec 2014 11:51:55 GMT

Thanks Jouni, really appreciate the help. The Static NAT section at the bottom was the key. (dmz, outside). I was sure i had tried that combination. tried it again and i am now able to get internal and external communication to the device in the DMZ.

I appreciate the help.

Adam