topic Re: Reverse path translation problem in Network Security

Reverse path translation problem

anunes1987 — Mon, 11 Mar 2019 19:27:55 GMT

I'm having a problem with NAT , i have a Videoconference system and from site A to SIte B is all good. But when site b tries to dial site A, is not completing and in ASA logs on site B i get reverse path translation failed from DMZ to Inside. Dialing from outside to SITe B is also ok.

This connection between site A and B is made thru MPLS.

Someone can help to fix this? site A IP VC ip is 10.21.2.300 and Site B VC 172.6.18.200

match tcp dmz host 172.6.18.200 eq 80 outside any

static translation to 189.X.X.X/80

translate_hits = 0, untranslate_hits = 25

If any command is need just let me know taht i put up the output

Thanks

Re: Reverse path translation problem

Jennifer Halim — Mon, 27 Dec 2010 12:06:24 GMT

From the ASA perspective, how is site A and site B connected? Can you please share the output of:

show run interface

show run route

show run nat

show run global

show run static

Re: Reverse path translation problem

anunes1987 — Mon, 27 Dec 2010 13:16:37 GMT

interface GigabitEthernet0/0
speed 100
duplex full
mac-address 0019.30c9.6f0c
nameif outside
security-level 0
ip address 189.X.X.X 255.255.255.240
!
interface GigabitEthernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 172.6.1.1 255.255.255.0
!
interface GigabitEthernet0/2
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.1
description
vlan 2
nameif dmz-7
security-level 4
ip address 172.6.5.4 255.255.255.0
!
interface GigabitEthernet0/2.2
vlan 4
nameif dmz
security-level 4
ip address 172.6.18.1 255.255.255.0

sh run route
route outside 0.0.0.0 0.0.0.0 189.39.32.33 1
route inside 10.21.0.0 255.255.0.0 172.6.1.10 1
route inside 172.16.2.0 255.255.255.0 172.6.1.10 1
route inside 172.16.6.0 255.255.255.0 172.6.1.10 1
route inside 172.16.10.0 255.255.255.0 172.6.1.10 1
route inside 172.16.20.0 255.255.255.0 172.6.1.10 1
route inside 172.16.60.0 255.255.255.0 172.6.1.10 1
route inside 192.168.21.0 255.255.255.0 172.6.1.10 1
route inside 192.168.224.0 255.255.255.0 172.6.1.10 1
route dmz1 199.X.X.X 255.255.248.0 172.6.5.12 1
route dmz1 199.X.X.X 255.255.255.248 172.6.5.12 1
route dmz1 199.X.X.X 255.255.255.254 172.6.5.12 1
route dmz1 205.X.X.X 255.255.255.0 172.6.5.12 1
route dmz1 208.X.X.X 255.255.255.0 172.6.5.12 1

sh run nat
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.6.1.201 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz2) 1 172.6.18.25 255.255.255.255

SPOFWL01# sh run global
global (outside) 1 interface
global (dmz1) 1 interface
global (dmz2) 1 interface

sh run stat
static (dmz2,outside) tcp 189.X.X.X www 172.6.18.22 82 netmask 255.255.255.255
static (dmz2,outside) tcp 189.X.X.X www 172.6.18.22 81 netmask 255.255.255.255
static (dmz2,outside) tcp 189.X.X.X https 172.6.18.22 https netmask 255.255.255.255
static (dmz2,outside) tcp 189.X.X.X www 172.6.18.22 www netmask 255.255.255.255
static (dmz2,outside) tcp 189.X.X.X www 172.6.18.250 www netmask 255.255.255.255
static (inside,dmz2) 172.6.1.21 172.6.1.21 netmask 255.255.255.255
static (inside,dmz2) 172.6.1.22 172.6.1.22 netmask 255.255.255.255
static (inside,dmz2) 172.6.1.71 172.6.1.71 netmask 255.255.255.255
static (inside,outside) 189.X.X.X 172.6.1.225 netmask 255.255.255.255
static (inside,dmz2) 10.21.4.11 10.21.4.11 netmask 255.255.255.255
static (inside,dmz2) 10.21.4.21 10.21.4.21 netmask 255.255.255.255
static (inside,dmz2) 10.21.4.32 10.21.4.32 netmask 255.255.255.255
static (inside,dmz2) 10.21.4.71 10.21.4.71 netmask 255.255.255.255
static (inside,dmz2) 10.21.4.76 10.21.4.76 netmask 255.255.255.255
static (inside,dmz2) 10.21.1.21 10.21.1.21 netmask 255.255.255.255
static (inside,dmz2) 10.21.1.22 10.21.1.22 netmask 255.255.255.255
static (inside,dmz2) 10.21.1.76 10.21.1.76 netmask 255.255.255.255
static (inside,dmz2) 10.21.4.91 10.21.4.91 netmask 255.255.255.255
static (inside,dmz2) 10.21.4.25 10.21.4.25 netmask 255.255.255.255
static (inside,dmz2) 10.21.4.77 10.21.4.77 netmask 255.255.255.255
static (dmz2,inside) 172.6.18.23 172.6.18.23 netmask 255.255.255.255
static (dmz2,inside) 172.6.18.25 172.6.18.25 netmask 255.255.255.255
static (dmz2,outside) 189.X.X.X 172.6.18.25 netmask 255.255.255.255 dns
static (dmz2,inside) 172.6.18.22 172.6.18.22 netmask 255.255.255.255
static (dmz2,outside) 189.X.X.X 172.6.18.21 netmask 255.255.255.255
static (dmz2,inside) 172.6.18.200 172.6.18.250 netmask 255.255.255.255
static (dmz2,outside) 189.X.X.X 172.16.50.250 netmask 255.255.255.255

Follows the output requested, This might be a NAT exemption deployment case?

Re: Reverse path translation problem

anunes1987 — Mon, 27 Dec 2010 13:18:32 GMT

Just adding information

SITE A (INSIDE) ----- MPLS ---------- (INSIDE) SITE B

Re: Reverse path translation problem

jgraafmans — Mon, 27 Dec 2010 19:20:06 GMT

Can you also post a sh run access-list inside_nat0_outbound?

And can you please send the output of the same commands on the other ASA?

Re: Reverse path translation problem

Jennifer Halim — Mon, 27 Dec 2010 22:54:06 GMT

The name of the interfaces do not match up. On your static statement you have "dmz2", however on your interface you don't have "dmz2", but you have "dmz" and "dmz-7". Can you please advise if you have copy the correct configuration from the same ASA?

Also how many ASA is there? and can you advise which ASA you receive the error message from?

Complete config from both sites would help.