topic Re: Asymmetric NAT rules matched for forward and reverse flows in Network Security

Asymmetric NAT rules matched for forward and reverse flows

elettrico75 — Mon, 11 Mar 2019 19:23:12 GMT

I have this configuration on my structure

Outside1 93.63.x.x primary internet connection (WAN)

Outside2 85.33.x.x backup internet connection if primary down

inside 200.1.1.3 Local network connection (LAN)

DMZ 30.30.30.10 Security zone (mail server and http server location)

when i try to go to my website (www.lamaddalexxxxxxx.xx) from the machine that exit to internet using 200.1.1.3 the firewal make this error

Asymmetric NAT rules matched for forward and reverse flow; Connection protocol src interface_name:source_address/source_port destinterface_name:dest_address/dest_port

denied due NAT reverse path failure.

An attempt to connect to a mapped host using its actual address war reject.

in Detail the error is

Asymmetric NAT rules matched for forward and reverse flows; connection for tcp src inside:(pc_name)/43799 dst DMZ:30.30.30.30/80 denied due to NAT reverse path failure

this is my running-config

: Saved
:
ASA Version 8.2(2)
!
name 200.1.x.x yyyyy

---
dns-guard
!
interface Ethernet0/0
nameif outside1
security-level 0
ip address 93.63.x.x 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 200.1.1.3 255.255.0.0
!
interface Ethernet0/2
nameif DMZ
security-level 0
ip address 30.30.30.10 255.255.255.0
!
interface Ethernet0/3
nameif outside2
security-level 0
ip address 85.33.x.x 255.255.255.248
!
interface Management0/0
nameif management
security-level 90
ip address 10.0.0.1 255.255.255.0
!
regex domainlist1 "\.myspace\.com"
regex Youtube "\.youtube\.com"
regex myspace "\.myspace\.com"
regex facebook "\.facebook\.com"
regex applicationheader "application/.*"
regex contenttype "Content-Type"
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside1
dns domain-lookup inside
dns domain-lookup DMZ
dns domain-lookup outside2
dns domain-lookup management
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network obj-93.63.x.x
object-group network obj_any
object-group network obj_any-01
object-group network obj_any-02
object-group network obj-30.30.30.30-06
object-group network obj-30.30.30.30-07
object-group network obj_any-03
object-group network obj_any-04
object-group network obj_any-05
----
object-group service internet
service-object tcp-udp eq www
service-object tcp eq https
service-object tcp eq pop3
service-object tcp eq smtp
service-object tcp eq 3389
service-object tcp eq 32000
service-object tcp eq imap4
service-object tcp eq 2703
service-object tcp eq domain
service-object tcp eq hostname
service-object tcp-udp eq 995
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service posta tcp
description posta
port-object eq pop3
port-object eq smtp
port-object eq 32000
port-object eq 995
object-group network Admin
---
object-group network Amministrazione
description Pool ip amministrazione
network-object host XXX
----
group-object Admin
-----
object-group service DM_INLINE_SERVICE_1
service-object ip
group-object internet
object-group service DM_INLINE_SERVICE_2
service-object ip
group-object internet
object-group service DM_INLINE_SERVICE_3
service-object ip
group-object internet
object-group service DM_INLINE_SERVICE_4
service-object ip
group-object internet
access-list DMZ_access_in extended permit object-group internet any any inactive
access-list DMZ_access_in extended permit ip host 30.30.30.30 any
access-list DMZ_access_in extended permit ip 200.1.0.0 255.255.0.0 host 30.30.30.30
access-list DMZ_access_in extended permit ip host 30.30.30.20 any
access-list DMZ_access_in extended permit object-group internet 93.63.x.y 255.255.255.248 host 30.30.30.30
access-list inside_mpc extended permit object-group TCPUDP any any eq www inactive
access-list outside1_mpc extended permit object-group TCPUDP any any eq www inactive
access-list inside_mpc_1 extended permit tcp object-group Amministrazione any eq www inactive
access-list inside_nat0_outbound extended permit ip any 200.1.100.96 255.255.255.224
access-list outside1_access_in remark Migration: End of expansion
access-list outside1_access_in extended permit object-group internet any host 93.63.x.x
access-list outside1_access_in remark Migration: End of expansion
access-list outside1_access_in extended permit object-group internet any object-group Amministrazione
access-list inside_access_in remark Migration: End of expansion
access-list inside_access_in extended permit ip object-group Amministrazione any
access-list inside_access_in remark Migration: End of expansion
access-list inside_access_in extended permit object-group internet object-group Amministrazione any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 any host Prestano inactive
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 any 93.63.x.y 255.255.255.248
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 85.33.x.x 255.255.255.248
access-list inside_access_in extended permit object-group internet any host 30.30.30.30
access-list inside_access_in extended permit object-group internet host 30.30.30.30 200.1.0.0 255.255.0.0
access-list inside_access_in extended permit object-group internet object-group Amministrazione host 30.30.30.30
access-list inside_access_in extended permit ip 200.1.0.0 255.255.0.0 200.1.100.96 255.255.255.224
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_4 host Prestano any inactive
access-list outside2_access_in remark Migration: End of expansion
access-list outside2_access_in extended permit object-group internet any host 85.33.x.x
access-list test standard permit 200.1.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside1 1500
mtu inside 1500
mtu DMZ 1500
mtu outside2 1500
mtu management 1500
ip local pool VPNmedark 200.1.100.100-200.1.100.120 mask 255.255.0.0
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside1
asdm image disk0:/asdm-633.bin
no asdm history enable
arp timeout 14400
global (outside1) 101 interface
global (inside) 2 interface
global (DMZ) 1 30.30.30.30-30.30.30.50 netmask 255.0.0.0
global (outside2) 101 interface
nat (inside) 101 200.1.0.0 255.255.0.0
nat (DMZ) 101 30.30.30.20 255.255.255.255
nat (DMZ) 101 30.30.30.30 255.255.255.255
static (DMZ,outside1) tcp interface www 30.30.30.30 www netmask 255.255.255.255
static (DMZ,outside1) tcp interface smtp 30.30.30.30 smtp netmask 255.255.255.255
static (DMZ,outside1) tcp interface pop3 30.30.30.30 pop3 netmask 255.255.255.255
static (DMZ,outside1) tcp interface 32000 30.30.30.30 32000 netmask 255.255.255.255
static (DMZ,outside1) tcp interface imap4 30.30.30.30 imap4 netmask 255.255.255.255
static (DMZ,outside1) tcp interface 3389 30.30.30.30 3389 netmask 255.255.255.255
static (DMZ,outside1) tcp interface sip 30.30.30.30 sip netmask 255.255.255.255
static (inside,DMZ) 200.1.0.0 200.1.0.0 netmask 255.255.0.0
static (DMZ,inside) 93.63.167.220 30.30.30.30 netmask 255.255.255.255
access-group outside1_access_in in interface outside1
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group outside2_access_in in interface outside2
route outside1 0.0.0.0 0.0.0.0 93.63.x.y 1 track 1
route outside2 0.0.0.0 0.0.0.0 85.x.x.x 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.192.168 255.255.255.255 management
http 192.168.192.169 255.255.255.255 management
http Enia 255.255.255.255 inside
http La_Manno 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 85.18.200.200 interface outside1
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map esterna_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map esterna_map interface outside1
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map management_map interface management
crypto ca server
shutdown
smtp from-address admin@ciscoasa.null
crypto isakmp enable outside1
crypto isakmp enable inside
crypto isakmp enable management
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
track 1 rtr 123 reachability
telnet Garrincha 255.255.255.255 inside
telnet timeout 5
ssh Enia 255.255.255.255 inside
ssh timeout 5
console timeout 0
management-access management
priority-queue DMZ
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc webvpn
webvpn
svc ask enable default webvpn
group-policy Medarchiver internal
group-policy Medarchiver attributes
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test
default-domain none
intercept-dhcp disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
vlan none
nac-settings none
address-pools value VPNmedark
smartcard-removal-disconnect enable
client-firewall none
webvpn
url-list none
filter none
port-forward disable
http-proxy disable
sso-server none
svc dtls enable
svc mtu 1406
svc keep-installer installed
svc keepalive 20
svc compression none
svc modules none
svc ask enable default webvpn
keep-alive-ignore 4
http-comp gzip
user-storage none
storage-objects value credentials,cookies
storage-key none
hidden-shares none
smart-tunnel disable
activex-relay enable
file-entry enable
file-browsing enable
url-entry enable
smart-tunnel auto-signon disable
svc df-bit-ignore disable
svc routing-filtering-ignore disable
---
service-type remote-access
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group LaMaddalena type remote-access
tunnel-group LaMaddalena general-attributes
address-pool VPNmedark
tunnel-group LaMaddalena ipsec-attributes
pre-shared-key *****
tunnel-group medarchiver type remote-access
tunnel-group medarchiver general-attributes
address-pool VPNmedark
tunnel-group medarchiver ipsec-attributes
pre-shared-key *****
!
class-map FACEBOOK
match access-list outside1_mpc
class-map type regex match-any DomainBlockList
match regex facebook
match regex myspace
match regex Youtube
class-map rallenta
match access-list inside_mpc_1
class-map DMZ-class
match any
class-map type inspect http match-all BlockDomainClass
match request header host regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all AppHeaderClass
match request header regex contenttype regex applicationheader
class-map httptraffic
match access-list inside_mpc
!
!
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
match request method connect
drop-connection log
class AppHeaderClass
drop-connection log
class BlockDomainClass
reset log
policy-map type inspect http http_rallenta_siti
parameters
protocol-violation action drop-connection
class BlockDomainClass
log
policy-map FACEBOOK
class FACEBOOK
inspect http http_rallenta_siti
police input 32000 1500
police output 32000 1500
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map inside-policy
class httptraffic
inspect http http_rallenta_siti
police input 32000 1500
police output 32000 1500
class rallenta
inspect http http_rallenta_siti
police input 16000 1500
policy-map DMZ-policy
class DMZ-class
inspect http
priority
set connection conn-max 256 per-client-max 50
!
service-policy global_policy global
service-policy FACEBOOK interface outside1
service-policy inside-policy interface inside
service-policy DMZ-policy interface DMZ
prompt hostname context
service call-home
---
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile profile0
no active
---
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group configuration export full
Cryptochecksum:f619d3adf0cfdda948a9f736818c7386
: end

Re: Asymmetric NAT rules matched for forward and reverse flows

Jennifer Halim — Thu, 16 Dec 2010 10:18:59 GMT

You have a lot of overlapping ip addresses configured on your translation statement:

IP Address of 30.30.30.30 is used more than once which is incorrect:

global (DMZ) 1 30.30.30.30-30.30.30.50 netmask 255.0.0.0

nat (DMZ) 101 30.30.30.30 255.255.255.255

static (DMZ,inside) 93.63.167.220 30.30.30.30 netmask 255.255.255.255

What are you actually trying to configure?

30.30.30.30 can't be configured as a NAT statement as well as global statement.

Please kindly advise what ip address is your source traffic, and what destination ip address you are trying to reach to understand the traffic flow.

Re: Asymmetric NAT rules matched for forward and reverse flows

elettrico75 — Thu, 16 Dec 2010 11:27:57 GMT

I have web and mail server 30.30.30.30 in DMZ

cisco can nat the external IP to this host

What should i do for this?

Re: Asymmetric NAT rules matched for forward and reverse flows

Jennifer Halim — Thu, 16 Dec 2010 11:32:15 GMT

You don't need the following 2 for sure:

global (DMZ) 1 30.30.30.30-30.30.30.50 netmask 255.0.0.0

nat (DMZ) 101 30.30.30.30 255.255.255.255

Please remove the above 2 lines.

This is also incorrect:

static (DMZ,inside) 93.63.167.220 30.30.30.30 netmask 255.255.255.255

(--> can you please advise what you are trying to achieve with this line?)

After removing the above, please kindly "clear xlate"

Re: Asymmetric NAT rules matched for forward and reverse flows

elettrico75 — Thu, 16 Dec 2010 11:50:36 GMT

this is now the situation

global (outside1) 101 interface
global (inside) 2 interface
global (outside2) 101 interface
nat (inside) 101 200.1.0.0 255.255.0.0
nat (DMZ) 101 30.30.30.20 255.255.255.255
static (DMZ,outside1) tcp interface www 30.30.30.30 www netmask 255.255.255.255
static (DMZ,outside1) tcp interface smtp 30.30.30.30 smtp netmask 255.255.255.255
static (DMZ,outside1) tcp interface pop3 30.30.30.30 pop3 netmask 255.255.255.255
static (DMZ,outside1) tcp interface 32000 30.30.30.30 32000 netmask 255.255.255.255
static (DMZ,outside1) tcp interface imap4 30.30.30.30 imap4 netmask 255.255.255.255
static (DMZ,outside1) tcp interface 3389 30.30.30.30 3389 netmask 255.255.255.255
static (DMZ,outside1) tcp interface sip 30.30.30.30 sip netmask 255.255.255.255
static (inside,DMZ) 200.1.0.0 200.1.0.0 netmask 255.255.0.0

this is access rules

access-list DMZ_access_in extended permit object-group internet any any inactive
access-list DMZ_access_in extended permit ip host 30.30.30.30 any
access-list DMZ_access_in extended permit ip 200.1.0.0 255.255.0.0 host 30.30.30.30
access-list DMZ_access_in extended permit ip host 30.30.30.20 any
access-list DMZ_access_in extended permit object-group internet 93.63.167.216 255.255.255.248 host 30.30.30.30
access-list inside_mpc extended permit object-group TCPUDP any any eq www inactive
access-list outside1_mpc extended permit object-group TCPUDP any any eq www inactive
access-list inside_mpc_1 extended permit tcp object-group Amministrazione any eq www inactive
access-list inside_nat0_outbound extended permit ip any 200.1.100.96 255.255.255.224
access-list outside1_access_in remark Migration: End of expansion
access-list outside1_access_in extended permit object-group internet any host 93.63.167.220
access-list outside1_access_in remark Migration: End of expansion
access-list outside1_access_in extended permit object-group internet any object-group Amministrazione
access-list inside_access_in remark Migration: End of expansion
access-list inside_access_in extended permit ip object-group Amministrazione any
access-list inside_access_in remark Migration: End of expansion
access-list inside_access_in extended permit object-group internet object-group Amministrazione any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 any host Prestano inactive
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 any 93.63.167.216 255.255.255.248
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 85.33.214.152 255.255.255.248
access-list inside_access_in extended permit object-group internet any host 30.30.30.30
access-list inside_access_in extended permit object-group internet host 30.30.30.30 200.1.0.0 255.255.0.0
access-list inside_access_in extended permit object-group internet object-group Amministrazione host 30.30.30.30
access-list inside_access_in extended permit ip 200.1.0.0 255.255.0.0 200.1.100.96 255.255.255.224
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_4 host Prestano any inactive
access-list outside2_access_in remark Migration: End of expansion
access-list outside2_access_in extended permit object-group internet any host 85.33.214.154
access-list test standard permit 200.1.0.0 255.255.0.0

and this is the message

%ASA-3-710003: {TCP|UDP} access denied by ACL from
source_IP/source_port to interface_name:dest_IP/service
The adaptive security appliance denied an attempt to connect to the interface service. For example, the adaptive security appliance received an SNMP request from an unauthorized SNMP management station. If this message appears frequently, it can indicate an attack.

3 Dec 16 2010 12:38:54 Garrincha 48937 93.63.167.220 80 TCP access denied by ACL from Garrincha/48937 to inside:93.63.167.220/80

Re: Asymmetric NAT rules matched for forward and reverse flows

Jennifer Halim — Fri, 17 Dec 2010 10:42:38 GMT

Sorry, can you please explain what is supposed to be the source ip address, and the destination ip address that you are trying to access? and are you trying to NAT anything at all? or you are trying to access its real ip address?

Further to that, can you please advise what ip address you have named "Garrincha"?

Re: Asymmetric NAT rules matched for forward and reverse flows

elettrico75 — Fri, 17 Dec 2010 13:38:45 GMT

The external internet can nat in dmz for http smtp and other services (see the pictures)

200.1.1.3 is the gateway from selected IP (like garrincha).

i can't resolve and go to dmz from internal ethernet lan

Re: Asymmetric NAT rules matched for forward and reverse flows

Michael Wollner — Fri, 17 Dec 2010 14:20:31 GMT

Hi,

you will reach your Webserver with their public IP, which is located in your DMZ.

You must use DNS Doctoring to rewrite the DNS request:

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00807968c8.shtml

mfg

Michael