Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
681
Views
0
Helpful
1
Replies

[ASA8858 with 8.4(2)] asym. NAT rule; conflict with dyn. PAT; problems with flows from low. SecLvl to higher SecLvl

hmikulec2000
Level 1
Level 1

‎02-08-2012 05:08 AM - edited ‎03-11-2019 03:25 PM

Hello All,

I have a  source dynamic NAT rule in place to translate all traffic from INSIDE (sec-lvl 100) to PRIVATE DMZ (sec-lvl 80) with translation to a specific new source IP (not the IF IP):

nat (fw-inside,fw-prv) source dynamic GRP_NAT_INSIDELAN NAT-LAN-NEW-IP1 destination static NET_PRV_DMZ NET_PRV_DMZ description [#R-TRx]

object network NAT-LAN-NEW-IP1

host XX.XX.XX.XX

But all connnection attempts from PRIVATE DMZ to INSIDE are now BLOCKED with message:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src fw-prv:192.168.95.100/4459 dst fw-inside:172.28.100.55/1433 denied due to NAT reverse path failure

My requirement is:

Dyn. PAT/NAT from INSIDE to PRV_DMZ, but NO NAT for sessions from PRV_DMZ to INSIDE.  It is easy and straightforward to configure this on a Checkpoint FW-1 system, because the CP FW-1 is not checking the reverse path for NAT. How to achieve the same on a Cisco ASA5585-SSP10 with Ver. 8.4(2)8 installed.

Kind Regards,

HMiku

Labels:
0 Helpful
1 Reply 1

Maykol Rojas
Cisco Employee
Cisco Employee

‎02-08-2012 08:15 AM

Seems like there is another NAT in between that is causing this error message. It would be nice if we could have the configuration but Im going to tell you what we look normally on this cases.

Existing NAT rules that could be created on the DMZ interface. Existing NAT rules that can be on the Inside. I am almost sure that there is another NAT that could be breaking things, meaning the packet does not get translated on the DMZ, but when it answers back to the inside, it hits a nat rule.

Check for rules that may have any any. You can easily check this by doing a packet tracer and see which NAT rules would it hit.

packet-tracer input inside tcp 1025 80

Where x is the IP address of the inside host and y is the address of the DMZ host.

Let me know how the test go.

Mike

Mike
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card