topic Re: Reverse NAT issue in Network Security

Reverse NAT issue

mahesh18 — Fri, 21 Feb 2020 15:45:39 GMT

Traffic is flowing from DMZ where source IP is public and coming to inside on port 1812

9 19:28:17 efw-1 %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src DMZ86:192.41.x.x/54535 dst inside:10.22.183.102/1812 denied due to NAT reverse path failure

How can i fix this?

Regards

MAhesh

Re: Reverse NAT issue

Rob Ingram — Fri, 11 May 2018 22:38:18 GMT

Hi,
Can you provide the configuration so we can have a look?
Can you run packet tracer and upload the output.

Re: Reverse NAT issue

mahesh18 — Sat, 12 May 2018 16:34:41 GMT

here is packet tracer

packet-tracer input DMZ86 udp 192.41.x.x 1024 10.22.183.102 1812

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.0.0.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ86_acl in interface DMZ86
access-list DMZ86_acl extended permit udp host 192.41.x.x host 10.22.183.102 eq 1812 log
Additional Information:

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ86,DMZ64) 192.41.148.96 192.41.148.96 netmask 255.255.255.224
nat-control
match ip DMZ86 192.41.148.96 255.255.255.224 DMZ64 any
static translation to 192.41.148.96
translate_hits = 0, untranslate_hits = 33
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 2 0.0.0.0 0.0.0.0
nat-control
match ip inside any DMZ86 any
dynamic translation to pool 2 (192.41.148.97)
translate_hits = 895580, untranslate_hits = 1309
Additional Information:

Result:
input-interface: DMZ86
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Reverse NAT issue

Rob Ingram — Sat, 12 May 2018 17:01:32 GMT

Please upload the config

Re: Reverse NAT issue

mahesh18 — Sat, 12 May 2018 18:33:21 GMT

let me know which specfic config you need

i can put that as it has lot of config?

Re: Reverse NAT issue

Rob Ingram — Sat, 12 May 2018 18:38:00 GMT

Ok, please provide the running config for interfaces, nat, objects, access-list, routes

Can you also upload the output of "show nat"

Re: Reverse NAT issue

mahesh18 — Sat, 12 May 2018 18:40:55 GMT

config attached

seems i will need no nat from dmz 86 to inside?