topic Asymmetric NAT rules matched for forward and reverse flow in Network Security

Asymmetric NAT rules matched for forward and reverse flow

mahesh18 — Tue, 12 Mar 2019 02:30:37 GMT

Hi Everyone,

I am pinging from switch connected to outside interface of ASA to the PC connected to the DMZ interface of ASA.

Switch had static route to the DMZ PC subnet.

Also ASA has ACL thats allow ping from outside to DMZ interface subnet ---192.168.70.0

Here is logs

: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.71.1 dst DMZ:192.168.70.10 (type 8, code 0) denied due to NAT reverse path failure

Here 192.168.71.1 is IP of switch interface directly connected to ASA.

192.168.70.10 is PC IP.

I know one way to do this is without using NAT between DMZ and outside interface

Need to know if there is any other way that i can allow ping from outside to PC subnet in DMZ?

Regards

Mahesh

Re: Asymmetric NAT rules matched for forward and reverse flow

Jouni Forss — Sun, 25 Aug 2013 14:21:56 GMT

Hi Mahesh,

Would really need to see the NAT configurations.

Though at the moment it ofcourse seems that the traffic matches different NAT rules on the way in than on the way out.

Usually if you need to allow communications between 2 interfaces and 2 networks without NAT then you dont configure any NAT.

You might have some Dynamic PAT rule that is causing this problem so in that case you should probably configure NAT0 / NAT Exempt for the traffic between these 2 networks.

I am not sure what software version you are running.

- Jouni

Asymmetric NAT rules matched for forward and reverse flow

mahesh18 — Sun, 25 Aug 2013 14:31:28 GMT

Hi Jouni,

Version 9.1(1)

object network Auto_NAT_DMZ

subnet 192.168.70.0 255.255.255.0

description Auto NAT DMZ Interface

object network Outside_pool

range 192.168.72.3 192.168.72.100

description DMZ_ Global

nat (DMZ,outside) source dynamic Auto_NAT_DMZ Outside_pool description Auto NAT DMZ Interface

So above is all NAT config for DMZ where users behind DMZ have IP 192.168.70.0 there source IP gets translated to

Global subnet 192.168.72.3 on the way out.

Regards

MAhesh

Asymmetric NAT rules matched for forward and reverse flow

Jouni Forss — Sun, 25 Aug 2013 14:37:31 GMT

Hi,

So seems you are doing Dynamic NAT from "DMZ" to "outside"

This means that when you try to ICMP / PING the "DMZ" network directly from behind the "outside" interface, that traffic wont hit any NAT rule on the ASA, but the ICMP / PING reply from the "DMZ" will hit the Dynamic NAT rule that you mention. And this is why the traffic will be dropped.

You seem to have configure the "DMZ" Dynamic NAT to Section 1 of the NAT rules with Manual NAT.

This means we will have to configure a NAT0 / NAT Exempt type configuration for traffic to be able to pass without NAT between these networks you mention in the original post.

Something like this should do the trick

object network DMZ

subnet 192.168.70.0 255.255.255.0

object network OUTSIDE

subnet 192.168.71.0 255.255.255.0

nat (DMZ,outside) 1 source static DMZ DMZ destination static OUTSIDE OUTSIDE

That should enable using real addresses between these 2 networks.

All other traffic from "DMZ" to "outside" will continue using Dynamic NAT

- Jouni

Asymmetric NAT rules matched for forward and reverse flow

mahesh18 — Sun, 25 Aug 2013 14:50:21 GMT

Hi Jouni,

Need litte more understanding on this ---

When you said

This means that when you try to ICMP / PING the "DMZ"network directly from behind the "outside"interface, that traffic wont hit any NAT rule on the ASA,

Is this default behaviour? or this is due to my NAT rule?

Also when i do the ping from outside the traffic reaches the PC behind the DMZ interface right?

Regards

MAhesh

Asymmetric NAT rules matched for forward and reverse flow

Jouni Forss — Sun, 25 Aug 2013 14:58:29 GMT

Hi,

The ICMP from "outside" to "DMZ" wont match any NAT configuration you had since you only had the Dynamic NAT from "DMZ" to "outside". So if you used ICMP / PING from "DMZ" to "outside" then that NAT rule would be matched correctly (on both directions)

But when you are using ICMP / PING from "outside" to "DMZ" it doesnt match any NAT rule on the way in but on the way out it would match the Dynamic NAT and this is why you get the NAT error message.

I think the ICMP / PING probably doesnt reach the PC behind the "DMZ" interface. To my understanding the ASA does the check for both directions when the packet comes to the ASA and since there is a problem with the NAT it drops the packet.

- Jouni

Asymmetric NAT rules matched for forward and reverse flow

mahesh18 — Sun, 25 Aug 2013 15:06:55 GMT

Many thanks Again.

Best regards

MAhesh