topic Mahesh,Almost - make the next in Network Security

Asymmetric NAT rules

mahesh18 — Tue, 12 Mar 2019 04:34:08 GMT

Hi Everyone,

I an trying to connect PC to server on port say 4001 here are logs from firewall

: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src RX 172.24.150.15/1937 dst GY:172.31.50.1/4001 denied due to NAT reverse path failure.

I did packet tracer on ASA it shows that packet is dropped due to NAT.

Phase: 5

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (GY) 0 0.0.0.0 0.0.0.0

match ip GY any RX any

identity NAT translation, pool 0

translate_hits = 0, untranslate_hits = 0

Additional Information:

Result:

input-interface: RX

input-status: up

input-line-status: up

output-interface: GY

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Need to know how can i fix this?

Regards

MAhesh

Mahesh,Give us some

Marvin Rhoads — Sat, 02 Aug 2014 03:11:24 GMT

Mahesh,

Give us some configuration bits please.

Preferably the config file but "show run nat", " show route" and "show ip address" at least.

Hi Marvin, Thanks for reply

mahesh18 — Sat, 02 Aug 2014 04:13:52 GMT

Hi Marvin,

Thanks for reply.

Here is info

sh run nat

nat (GY) 0 access-list GY_nat0_outbound
nat (GY) 0 0.0.0.0 0.0.0.0

sh ip shows

Gi0/2 GY 172.31.100.11 255.255.255.0 CONFIG

GigabitEthernet0/3 RX 172.24.254.78 255.255.255.240 manual

sh route shows

172.16.0.0 255.240.0.0 [1/0] via 172.31.100.254, GY

Let me know if you need any other info?

Regards

MAhesh

That NAT listing doesn't seem

Marvin Rhoads — Sat, 02 Aug 2014 13:52:00 GMT

That NAT listing doesn't seem to make sense.

You have two "NAT 0" exemptions and no other NAT rules. In that scenario why have NAT configured at all?

Hi Marvin, Under correct

mahesh18 — Sat, 02 Aug 2014 14:54:35 GMT

Hi Marvin,

Under correct setup with present NAT config is there any way i can fix the NAT issue ?

Regards

Mahesh

As I understand it, your PC

Marvin Rhoads — Sat, 02 Aug 2014 18:26:02 GMT

As I understand it, your PC is sending from 172.24.150.15 and coming to the ASA via interface "RX".

According to the route and interface statements you provided, that subnet would be expected to be somewhere in the networks connected upstream of interface GY (due to "172.16.0.0 255.240.0.0" having been set as a static route out that interface).

So the RPF (Reverse Path Forwarding) would expect to not route the return packets back out the same interface they arrived on and thus they would fail RPF check as your log message is showing.

At a minimum, you should ad a route so that the ASA knows to send return traffic to the subnet where your PC is sitting back out interface RX. If you do that, the flow should be recognized as valid return traffic, be part of an un-NATted connection (per your NAT 0 commands), and be allowed to pass.

Hi Marvin,Yes PC is

mahesh18 — Sun, 03 Aug 2014 17:19:02 GMT

Hi Marvin,

Yes PC is connected to interface RX of ASA.

So source interface --or packet comes to ASA on interface RX.

Outgoing interface is GY as per current config.

So per current config Outgoing interface GY covers the source subnet also.

To fix this should i add below route on ASA

route RX 172.24.150.0 255.255.255.0 172.24.254.78

where 172.24.254.78 is interface RX IP address.

Regards

Mahesh

Mahesh,Almost - make the next

Marvin Rhoads — Sun, 03 Aug 2014 17:55:27 GMT

Mahesh,

Almost - make the next hop the gateway (L3 switch or router) address in the 172.24.254.64/28 network (includes addresses 172.24.254.64 - 172.24.254.79) that interface RX is connected to.

Hi Marvin,I checked the

mahesh18 — Mon, 04 Aug 2014 13:56:20 GMT

Hi Marvin,

I checked the routing and found that Firewall already has static route to

source PC IP via interface RX.Also Next hop is Layer 3 switch.

So as per current config this seems to be routing issue or NAT?

Regards

MAhesh

It's hard to say at this

Marvin Rhoads — Mon, 04 Aug 2014 16:11:09 GMT

It's hard to say at this point.

Since you're telling me there's a route that you didn't mention earlier I wonder what else is going on that we haven't seen in this thread yet.

Is it possible to share the whole configuration (sanitized of course)?

Hi MArvin, Seems to be issue

mahesh18 — Sun, 10 Aug 2014 15:15:33 GMT

Hi MArvin,

Seems to be issue with Natting.

When i put below NAT config

static (RX,GY) 0.0.0.0 0.0.0.0 and ran the packet tracer it showed that traffic

is passing via firewall now.

1>Does above static NAT means any source IP coming from int RX and going

to interface GY and vice versa do not no any NAT translations ???

Below is result of packet tracer

Config
static (RX,GY) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
match ip RX any GY any
static translation to 0.0.0.0
translate_hits = 2, untranslate_hits = 6105

Info
Static translate 0.0.0.0/0 to 0.0.0.0/0 using netmask 0.0.0.0

config
static (RX,GY) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
match ip RX any GY any
static translation to 0.0.0.0
translate_hits = 2, untranslate_hits = 6105

Type -    NAT
   Subtype -    rpf-check
   Action -    ALLOW
   Show rule in NAT Rules table.

Config
nat (GY) 0 0.0.0.0 0.0.0.0
match ip GY any RX any
identity NAT translation, pool 0
translate_hits = 5583, untranslate_hits = 1

Type -    NAT
   Subtype -    host-limits
   Action -    ALLOW
   Show rule in NAT Rules table.

Config
nat (GY) 0 0.0.0.0 0.0.0.0
match ip GY any GY any
identity NAT translation, pool 0
translate_hits = 0, untranslate_hits =

But above NAT config caused other issues in network where we were unable

to reach some servers connected to interface GY.

2>Need to understand how packet tracer shows 3 different NAT configs in its

result?

Regards

MAhesh