new to ASA 8.4 issue with asymmetric nat rules

James Smith — Mon, 11 Mar 2019 22:53:27 GMT

G'day All,

I am have just completed my first ASA install using 8.4 software, I was ok with 8.2 and prior for NAT, but I am running into an issue with the 8.4 setup.

I have a 5585 that is running multiple contexts, one of the contexts connects to a cisco wlc on it's inside interface. Wireless users are able to associate to the wlan fine, but their dhcp server is upstream on the outside of the asa. My issue is when clients attempt to grab a dhcp address, the dhcp offer is being dropped by the firewall due to:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.200.84/67 dst inside:192.168.79.14/67 denied due to NAT reverse path failure

The dhcp server is upstream and is 192.168.200.84 and 192.168.79.14 is the wlan interface on the wlc. Can someone please have a look over my config and advise where I am going wrong.

Below is the complete config for the context, keep in mind that this is only in test at the moment and is presently completely private, there is no public access presently.

asa/test# sh run

: Saved

ASA Version 8.4(1) <context>

hostname test

enable password *********** encrypted

passwd ********** encrypted

names

interface outside_test

nameif outside

security-level 0

ip address 192.168.207.91 255.255.255.248

interface inside_test

nameif inside

security-level 100

ip address 192.168.79.125 255.255.255.128

interface radtest

nameif radtest

security-level 50

ip address 10.1.0.251 255.255.255.248

object network test-inside

subnet 192.168.79.0 255.255.255.128

object-group network radtest

network-object 10.1.0.181 255.255.255.255

network-object 10.1.0.213 255.255.255.255

object-group network out-rad

network-object 192.168.15.68 255.255.255.255

network-object 192.168.15.69 255.255.255.255

object-group service radius_ports udp

port-object range radius radius-acct

port-object range 1812 1813

access-list outside-in extended permit ip any any

access-list radtes-tin extended permit ip any any

access-list inside-in extended permit ip any any

pager lines 24

logging enable

logging buffered debuggin

mtu outside 1500

mtu inside 1500

mtu apnet 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

object network test-inside

nat (inside,outside) dynamic interface

object network radtest

nat(radtest,outside) dynamic interface

access-group outside-in in interface outside

access-group inside-in in interface inside

access-group radtest-in in interface radtest

route outside 0.0.0.0 0.0.0.0 192.168.207.89 1

route apnet 10.1.0.181 255.255.255.255 10.1.0.249 1

route apnet 10.1.0.213 255.255.255.255 10.1.0.249 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h22

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

Cryptochecksum:98edfeccab777266691c489212987947

: end

Thanks for any assistance.

new to ASA 8.4 issue with asymmetric nat rules

James Smith — Tue, 17 Apr 2012 23:21:17 GMT

Surely someone out there can assist me with this. I see plenty of other asymmetric NAT posts receiving plenty of replies.

Come on gurus, show us your stuff.

new to ASA 8.4 issue with asymmetric nat rules

Dennis Mink — Wed, 18 Apr 2012 06:13:57 GMT

James,

this article describes what you are seeing

https://supportforums.cisco.com/docs/DOC-12569

new to ASA 8.4 issue with asymmetric nat rules

Dennis Mink — Wed, 18 Apr 2012 07:04:55 GMT

I addition to this, I think the problem that you are having is that your DHCP server is directing traffic for your WLC (

192.168.79.14) to your ASA, well at least that is what your output shows:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.200.84/67 dst inside:192.168.79.14/67 denied due to NAT reverse path failure

So although you are directing traffic to 192.168.79.14 that IP address will never be presented out the outside interface, because it is hidden behind dynamic NAT:

nat (inside,outside) dynamic interface.

so how is your DHCP server sending offers to the real IP address of the WLC, rather then the NAT-ed IP address (

192.168.207.91)?

new to ASA 8.4 issue with asymmetric nat rules

James Smith — Wed, 16 May 2012 06:23:49 GMT

G'day All,

Turns out I had a number of configuration issues, I got these resolved with the help of the members that replied. Much appreciated for the assistance and my new found working understanding on NAT in 8.4.

Cheers,

topic new to ASA 8.4 issue with asymmetric nat rules in Network Security

new to ASA 8.4 issue with asymmetric nat rules

new to ASA 8.4 issue with asymmetric nat rules

new to ASA 8.4 issue with asymmetric nat rules

new to ASA 8.4 issue with asymmetric nat rules

new to ASA 8.4 issue with asymmetric nat rules