topic Re: NAT reverse path failure in Network Security

NAT reverse path failure

reaven — Tue, 11 Jun 2019 14:54:40 GMT

I have a wan router(70.70.70.129) from where I need to access a syslog server on inside with its real ip address(192.168.1.192).

I have setup an access list on outside int:

access-list outside_acl extended permit udp host 70.70.70.129 host 192.168.1.192 eq syslog

with this so far I get the Nat reverse path failure

now if I add a nat rule:

inside outside 192.168.1.192 any any 192.168.1.192

everything works except the syslog server loose access to internet, I am confuse in what I need to add to enable both, access to internet and access to the server via its private ip address.

Re: NAT reverse path failure

Francesco Molino — Tue, 11 Jun 2019 15:30:10 GMT

Can you share your config please?

I would remove the nat you put in place and change to something like:

Object network SYSLOG-SRV

host 192.168.1.192

nat (inside, outside) static 70.70.70.129 service udp 514 514

Also when you’ve done this, please run a packet-tracer and paste the output:

packet-tracer input outside udp 8.8.8.8 1234 70.70.70.129 514

Re: NAT reverse path failure

Sheraz.Salim — Wed, 12 Jun 2019 13:35:15 GMT

would be great if you could share the config of your firewall. mean time please have look on this config.

object network syslog_server
host 192.168.1.192
!
nat (inside,outside) static interface
!
access-list outside_acl extended permit udp any host 192.168.1.192 eq 514
!
access-group outside_acl in interface outside

Re: NAT reverse path failure

reaven — Wed, 12 Jun 2019 12:32:36 GMT

Hi thank for your answers, I am trying to sanitized the config since is very extend and I dont have permission to post it in its entirely.

Meanwhile whats the nat (inside,outside) static interface does, its missing something ? whats the difference from the one I have nat (inside,outside) static 192.168.1.192 no-proxy-arp

Re: NAT reverse path failure

Sheraz.Salim — Wed, 12 Jun 2019 13:38:38 GMT

the below rule,

nat (inside,outside) static interface

if traffic coming from inside interface and going toward outside network use the outside interface ip address (i.e 82.1.5.4).

Now coming to your nat rule

nat (inside,outside) static 192.168.1.192 no-proxy-arp

you saying if traffic coming from inside and going toward outside network use address 192.168.1.192. in this case address 192.168.1.192 is your inside address and this address cant be routed out due to RFC 1918.

now you have two choices,

Step 1.

=====

Object network syslog_server

host 192.168.1.192

nat (inside, outside) static 70.70.70.129 service udp 514 514

access-list outside_acl extended permit udp any host 192.168.1.192 eq 514
access-group outside_acl in interface outside

(Note. if you need to access the syslog server from outside than you need to define the ACL as i mentioned)

Step2

====

object network syslog_server
host 192.168.1.192
!
nat (inside,outside) static interface

access-list outside_acl extended permit udp any host 192.168.1.192 eq 514
access-group outside_acl in interface outside

(Note. if you need to access the syslog server from outside than you need to define the ACL as i mentioned)

now I do not know what is your public ip address. so you can use the command nat (in,out) static interface. this will use your firewall outside interface ip address. the choice is yours.

Re: NAT reverse path failure

reaven — Thu, 13 Jun 2019 13:55:52 GMT

this have been given to me very redacted/"sanitized".

my syslog server = mon002 = 10.10.1.192

my wan router is connected to my outside interface with ip 1.1.1.129

I need for my wan router to access my syslog server, there is an ip route in my wan router to route traffic destined to 10.10.1.192 through 1.1.1.130

hostname Firewall
!
interface Ethernet0/0
 speed 1000
 duplex full
 nameif outside
 security-level 0
 ip address 1.1.1.130 255.255.255.224 
!
interface Ethernet0/1
 speed 1000
 duplex full
 nameif inside
 security-level 100
 ip address 10.10.8.1 255.255.255.0 
!
access-list outside_acl extended permit udp host 1.1.1.129 host 10.10.1.192 eq syslog  
arp timeout 14400
no arp permit-nonconnected
!
object network obj-10.10.1.0
 nat (inside,outside) dynamic og_global_outside-1
 nat (aruba,outside) dynamic og_global_outside-1
object network ob-10.10.1.192
 nat (inside,outside) static 10.10.1.192 no-proxy-arp
access-group outside_acl in interface outside
access-group inside_acl in interface inside
access-group bppr_acl in interface bppr
access-group aruba_access_in in interface aruba
route outside 0.0.0.0 0.0.0.0 1.1.1.129 1 
http server enable
snmp-server host inside 10.10.1.192 community public version 2c
no snmp-server location
no snmp-server contact
snmp-server community public
sysopt connection tcpmss 1460

Re: NAT reverse path failure

Sheraz.Salim — Wed, 12 Jun 2019 19:02:20 GMT

object network mon001
host 10.10.1.192
description PRTG monitoring
nat (inside,outside) static interface
!
access-list outside_acl extended permit udp host any host 10.10.1.192 eq syslog
(or)
access-list outside_acl extended permit udp host 1.1.1.129 host 10.10.1.192 eq syslog
!
access-group outside_acl in interface outside
!
packet-tracer input outside udp 1.1.1.129 1234 1.1.1.129 syslog

or if you like you can move your nat rule into section 1.

nat (inside,outside) source static mon001 interface

access-list outside_acl extended permit udp host 1.1.1.129 host 10.10.1.192 eq syslog
!
access-group outside_acl in interface outside
!
packet-tracer input outside udp 1.1.1.129 1234 1.1.1.129 syslog

Re: NAT reverse path failure

reaven — Wed, 12 Jun 2019 21:39:33 GMT

when enable the nat rule, what the below error really means is all traffic from 10.10.1.192 ?

nat (inside,outside) source static ms001mon002 interface
WARNING: All traffic destined to the IP address of the outside interface is bein g redirected.
WARNING: Users may not be able to access any service enabled on the outside inte rface.

anyways am still getting the error

ASA-5-305013: Asymmetric NAT rules matched for forward and reverse
flows; Connection for udp src outside 1.1.1.129 dst inside 10.10.1.192/514 denied due to NAT reverse path failure.

Re: NAT reverse path failure

Francesco Molino — Thu, 13 Jun 2019 01:36:50 GMT

Your monitor tool has ip 10.10.1.192, am i right?

When you're adding the nat be careful because you have a nat in top position which is nating the subnet 10.10.1.0.

Then put the nat statement i gave before this nat.

Also, you have at the end a nat with any any interface which isn't following best practices. Replace any any by the correct source and destination interface name.

Re: NAT reverse path failure

Sheraz.Salim — Thu, 13 Jun 2019 11:09:39 GMT

@Francesco Molino @reaven

I have lab this up. .

object network SYS-LOG

host 10.10.1.192

nat (inside,outside) source static interface service 514 514

access-list outside_acl extended permit udp host 1.1.1.129 host 10.10.1.192 eq syslog

access-list outside_acl in interface outside

packet tracer input outside udp 1.1.1.129 12345 1.1.1.30 514

Re: NAT reverse path failure

reaven — Thu, 13 Jun 2019 13:52:42 GMT

@Sheraz.Salim @Francesco Molino

First thansk for the support, help and patience.

reading your suggestions I realized my error, In the NAT rule I had created I leave any instead of specifying the port 514

now internet on the monitoring tool and the syslog are working !!!