02-10-2012 11:34 AM - edited 03-11-2019 03:28 PM
Hi,
I have an ASA5510 running version 8.2(5). I have set up a new network on interface Ethernet0/1.777 of the fwl. The firewall works perfectly with remote access VPNs but has now given me the error with the new network that has been set up:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.159.159.3/49204 dst tru777:10.1.34.19/3389 denied due to NAT reverse path failure
The difference between the other networks and the new one that I have set up is that this is the first one using a private addressing scheme. I understand that NAT is not allowing something along the way but I cant figure out what needs to change in order to get it to work. My config is as follows:
interface Ethernet0/1.777
description TRU 777
vlan 777
nameif tru777
security-level 50
ip address 10.1.34.17 255.255.255.240 standby 10.1.34.18
access-list acl_tru777 remark * ALLOW ALL OUTBOUND *
access-list acl_tru777 extended permit ip any any
access-list RA-VPN extended permit ip 10.1.34.16 255.255.255.240 10.159.159.0 255.255.255.0
access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 172.16.0.0 255.240.0.0
access-list acl_no-nat extended permit ip 10.1.34.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list acl_ra-lock-tru777 extended permit ip 10.1.34.16 255.255.255.240 10.159.159.0 255.255.255.0
access-list acl_ra-lock-tru777 extended permit ip 10.159.159.0 255.255.255.0 10.1.34.16 255.255.255.240
ip local pool ra-pool 10.159.159.0-10.159.159.254 mask 255.255.255.0
nat (tru777) 4 access-list acl_no-nat
nat (tru777) 2 10.1.34.16 255.255.255.240
global (outside) 2 x.x.x.x
crypto isakmp nat-traversal 20
I think that is everything you should need, if not please just ask.
Thank you very much in advance,
Chris
02-10-2012 12:34 PM
Hello Chris,
Please provide :
sh nameif
sh run nat
sh run global
Regards,
Julio
02-11-2012 05:41 AM
Hi Julio,
Here you go:
FWL01# sh nameif
Interface Name Security
Ethernet0/0 outside 0
Ethernet0/1 CLIENTS 50
Ethernet0/1.314 tru01 50
Ethernet0/1.313 dmz01 50
Ethernet0/1.316 tru02 50
Ethernet0/1.776 dmz776 50
Ethernet0/1.777 tru777 50
Management0/0 management 100
FWL01# sh run nat
nat (tru02) 1 192.168.3.0 255.255.255.240
nat (tru777) 4 access-list acl_no-nat
nat (tru777) 2 10.1.34.16 255.255.255.240
FWL01# sh run glob
global (outside) 1 interface
global (outside) 2 x.x.x.x
Thanks,
Chris
02-11-2012 08:43 AM
Hello Chris,
Next thing would be
show run static
packet-tracer input outside tcp 10.159.159.3 1025 10.1.34.19 3389
02-11-2012 09:52 AM
FWL01# sh run static
static (tru02,outside) x.x.x.216 x.x.x.216 netmask 255.255.255.248
static (dmz776,outside) x.x.x.49 10.1.34.3 netmask 255.255.255.255
static (tru777,outside) x.x.x.49 x.x.x.49 netmask 255.255.255.255
FWL01# packet-tracer input outside tcp 10.159.159.3 1025 10.1.34.19 3389
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.34.16 255.255.255.240 tru777
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: tru777
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Thanks,
Chris
02-12-2012 05:54 PM
Hello Chris,
Can you show us the entire configuration, I will need to take a look at the ACL configuration as the information provided is not enough to get into the root issue.
Regards,
02-22-2012 04:38 AM
Hi,
Thanks for trying to help. I managed to get it working by just getting more specific with the the no nat ACL and added a new ACL for just that entry:
access-list acl_no-nat-777 extended permit ip 10.1.34.0 255.255.255.248 10.159.159.0 255.255.255.0
And I am not sure if it made any difference but changed the foir in the NAT statement below to 0:
nat (tru777) 0 access-list acl_no-nat-777
I kept everything else the same and it is working exactly as I had hoped.
Thanks again!
12-11-2013 03:07 PM
12-11-2013 03:08 PM
Testing reply feature
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: