topic denied due to NAT reverse path failure in Network Security

denied due to NAT reverse path failure

benningtonr — Tue, 12 Mar 2019 04:54:16 GMT

I have seen lots about this, but none seen to match my issue.

I have an asa5550 with and inside, outside and DMZ network, hanging off the Inside i have an asa 5505 with my dabase network.

I can get to me db net from the inside, and via an outside nat from the outside. But no matter what I do I cannot get to it from the dmz. The db net can access the DMZ for dns and such, but i cannot originate contact from the DMZ.

I am getting the following when conecting via the dmz

5 Oct 10 2014 13:02:29 305013 x.x.129.1 172.20.0.80 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src web_dmz:x.x.129.1 dst inside:172.20.0.80 (type 8, code 0) denied due to NAT reverse path failure

path would be x.x.129.0 net -> 192.168.99.0 net -> 172.20.0.0 net

asa5550 asa5505

Hi,Would you be able to share

Vibhor Amrodia — Sat, 11 Oct 2014 05:00:13 GMT

Hi,

Would you be able to share the configuration from the ASA device ?

Also , try a packet trace from DMZ to the inside server ?

Thanks and Regards,

Vibhor Amrodia

Well, the logg error states

Marius Gunnerud — Mon, 13 Oct 2014 08:20:20 GMT

Well, the logg error states it quite clearly. You have two NAT statements that match the traffic and it would seem that these statements reference different interfaces.

As Vibhor has mentioned we would need to see your configuration in order to find the statement/s that are causing the issue. Or you could try combing through your configuration yourself in order to find it.

Please remember to select a correct answer and rate helpful posts

Here are the configs, the 99

benningtonr — Mon, 13 Oct 2014 11:28:30 GMT

Here are the configs, the 99.1 is the ouside/inside/DMZ

The 98.17 is the inside/inside behind the 99.1 inside network

I am getting the error on the 99.1 asa

Here is the packet trace

benningtonr — Mon, 13 Oct 2014 12:50:26 GMT

Here is the packet trace:

Access-List

Type -

ACCESS-LIST

Action -

ALLOW

Show rule in Access Rules table.

Config

Implicit Rule

Info

MAC Access list

Route-Lookup

Type -

ROUTE-LOOKUP

Action -

ALLOW

Info

in 172.20.0.0 255.255.255.0 inside

Access-List

Type -

ACCESS-LIST

Action -

ALLOW

Show rule in Access Rules table.

Config

access-group web_dmz_access_in in interface web_dmz
access-list web_dmz_access_in extended permit ip object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14
object-group network DM_INLINE_NETWORK_13
network-object host x.x.129.1
network-object host x.x.130.8
object-group network DM_INLINE_NETWORK_14
network-object host 172.20.0.80
network-object host x.x.141.40

Ip-Options

Type -

IP-OPTIONS

Action -

ALLOW

NAT

Type -

NAT

Subtype -

rpf-check

Action -

DROP

Show rule in NAT Rules table.

Config

nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any web_dmz any
dynamic translation to pool 10 (x.x.128.1 [Interface PAT])
translate_hits = 1435672, untranslate_hits = 51898

100

RESULT - The packet is dropped.

true

info: (acl-drop) Flow is denied by configured rule

What was the source IP you

Marius Gunnerud — Tue, 14 Oct 2014 07:46:02 GMT

What was the source IP you used. Normally an RPF failure in the packet tracer would indicate that you have sourced the packet from the wrong IP.

packet-tracer input web_dmz tcp x.x.129.10 12345 172.20.0.80 80 detail

Please remember to select a correct answer and rate helpful posts

Absolutely using the correct

benningtonr — Tue, 14 Oct 2014 11:19:19 GMT

Absolutely using the correct IP address, for source and dest.

From the inside I can ping the 172, but coming through the dmz to the inside I cannot.

inside is a 192 net, db net is a 172 net.

ciscoasa# packet-tracer input web_dmz tcp x.x.130.8 sqlnet 172.20.0.80 sqlnet$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x242ed5a0, priority=1, domain=permit, deny=false
hits=19230845209, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.20.0.0 255.255.255.0 inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group web_dmz_access_in in interface web_dmz
access-list web_dmz_access_in extended permit tcp object-group EmediaVa-Servers any object-group DM_INLINE_TCP_5
access-list web_dmz_access_in remark out for Qumu
object-group network EmediaVa-Servers
description: EmediaVa Servers
network-object host x.x.128.94
network-object host x.x.130.106
network-object host x.x.130.107
network-object host x.x.130.113
network-object host x.x.130.115
network-object host x.x.130.9
network-object host x.x.130.108
network-object host x.x.130.8
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
port-object eq ldap
port-object eq ldaps
port-object eq sqlnet
port-object eq ssh
port-object eq 3306
Additional Information:
Forward Flow based lookup yields rule:
in id=0x245cd7a0, priority=12, domain=permit, deny=false
hits=42, user_data=0x1dbac5c0, cs_id=0x0, flags=0x0, protocol=6
src ip=64.5.130.8, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=1521, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x242efb38, priority=0, domain=inspect-ip-options, deny=true
hits=540245079, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: INSPECT
Subtype: inspect-sqlnet
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect sqlnet
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x269e4100, priority=70, domain=inspect-sqlnet, deny=false
hits=107, user_data=0x269e3cb8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=1521, dscp=0x0

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any web_dmz any
dynamic translation to pool 10 (x.x.128.1 [Interface PAT])
translate_hits = 1471616, untranslate_hits = 53052
Additional Information:
Forward Flow based lookup yields rule:
out id=0x24593bb8, priority=1, domain=nat-reverse, deny=false
hits=861010, user_data=0x24593948, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: web_dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

for the sake of elimination

Marius Gunnerud — Tue, 14 Oct 2014 11:21:27 GMT

for the sake of elimination could you add a permit ip any any to the web_dmz_access_in ACL and test. Just remember to remove it after you are done testing.

Please remember to select a correct answer and rate helpful posts

Looks like the same result

benningtonr — Tue, 14 Oct 2014 11:26:28 GMT

Looks like the same result

ciscoasa# packet-tracer input web_dmz tcp x.x.130.8 sqlnet 172.20.0.80 sqlnet$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x242ed5a0, priority=1, domain=permit, deny=false
hits=19237240552, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.20.0.0 255.255.255.0 inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group web_dmz_access_in in interface web_dmz
access-list web_dmz_access_in extended permit ip any any
access-list web_dmz_access_in remark Eduwidgets
Additional Information:
Forward Flow based lookup yields rule:
in id=0x28a6e870, priority=12, domain=permit, deny=false
hits=912, user_data=0x1db70040, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x242efb38, priority=0, domain=inspect-ip-options, deny=true
hits=540465202, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: INSPECT
Subtype: inspect-sqlnet
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect sqlnet
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x269e4100, priority=70, domain=inspect-sqlnet, deny=false
hits=109, user_data=0x269e3cb8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=1521, dscp=0x0

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any web_dmz any
dynamic translation to pool 10 (x.x.128.1 [Interface PAT])
translate_hits = 1472039, untranslate_hits = 53052
Additional Information:
Forward Flow based lookup yields rule:
out id=0x24593bb8, priority=1, domain=nat-reverse, deny=false
hits=861241, user_data=0x24593948, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

okay, it has been solved, I

benningtonr — Tue, 14 Oct 2014 14:49:42 GMT

okay, it has been solved, I opened a case with cisco. This was a High Priority item for me, i needed to add a nat for the 172 net on the web-dmz. I only had a nat statment for it on the inside.

static (inside,web_dmz) 172.20.0.80 17220.0.80 etc.......

So all is working now, yay Cisco, thanks you for all the help