cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


1772
Views
0
Helpful
8
Replies
Beginner

Asymmetric NAT rules matched for forwarda and reverse flows

I am seeing the following error on my Cisco ASA 5510 running 8.4(4):









Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:10.1.0.8/1798 dst inside:10.1.0.14/25 denied due to NAT reverse path failure

Doing research I see there are plenty of nonat statements regarding connecting from one interface to another, but why am I seeing this error on the same interface.

All our servers are connected via a Cisco 3750G switch with a very basic config.  Why is the firewall interjecting itself and causing these issues?

Any suggestions would be most appreciated.

Kerry

8 REPLIES 8

Asymmetric NAT rules matched for forwarda and reverse flows

subnet mask mismatch?

Beginner

Asymmetric NAT rules matched for forwarda and reverse flows

No subnet mask mismatch, as far as I can tell.

Here is the "sho run":  I have sanitized it as best I can.

ciscoasa# sho run

: Saved

:

ASA Version 8.4(4)

!

hostname ciscoasa

domain-name xxxxxx.com

enable password Gy7ZIY.vaWRxxxxx encrypted

passwd 2KFQnbNIdI.xxxxxx encrypted

names

!

interface Ethernet0/0

description === WAN Interface ===

speed 100

duplex full

nameif outside

security-level 0

ip address 216.38.xx.xx 255.255.255.240

!

interface Ethernet0/1

description === LAN Interface ===

nameif inside

security-level 100

ip address 10.1.0.1 255.255.255.0

!

interface Ethernet0/2

description === PNT to SLC ViaWest ===

speed 10    

duplex full 

nameif pnt  

security-level 100

ip address 10.169.xx.xx 255.255.255.248

!            

interface Ethernet0/3

shutdown    

no nameif   

no security-level

no ip address

!            

interface Management0/0

description === Management Interface ===

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!            

boot system disk0:/asa844-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

dns domain-lookup outside

dns domain-lookup inside

dns domain-lookup management

dns server-group DefaultDNS

name-server 10.1.0.5

name-server 10.1.1.16

name-server 8.8.8.8

domain-name xxxxxxxx.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network 10.1.0.2

host 10.1.0.2

object network 10.1.0.22

host 10.1.0.22

object network 10.1.0.41

host 10.1.0.41

object network 10.1.0.86

host 10.1.0.86

object network bonecrusher.xxxxxx.local

host 10.1.0.12

description == bonecrusher internal ==

object network ccpwjb4bak001.xxxxxx.local

host 10.1.0.40

object network ccpwjb4bi001.xxxxxx.local

host 10.1.0.8

description == ccpwjb4bi001 internal ==

object network ccpwjb4db001.xxxxxx.local

host 10.1.0.10

description == bi database internal ==

object network ccpwjb4.xxxxxx.local

host 10.1.0.11

description == bi jasper internal ==

object network denver-viawest

subnet 10.1.0.0 255.255.255.0

description == Denver ViaWest Internal Network ==

object network cyberfrost.xxxxxx.local

host 10.1.0.5

description == cyberfrost internal ==

object network vwpwjb1bak001.xxxxxx.local

host 10.1.0.9

description == vwpwjb1bak001 internal ==

object network electrospark.xxxxxx.local

host 10.1.0.14

description == electrospark internal ==

object network NETWORK_OBJ_10.1.0.0_24

subnet 10.1.0.0 255.255.255.0

object network NETWORK_OBJ_10.10.0.0_20

subnet 10.10.0.0 255.255.240.0

object network slc-corp

subnet 10.10.0.0 255.255.240.0

description == slc corp internal network ==

object network slc-viawest

subnet 10.1.1.0 255.255.255.0

description == slc viawest internal network ==

object network NETWORK_OBJ_10.3.0.0_22

subnet 10.3.0.0 255.255.252.0

object network magnoquake.xxxxxx.local

host 10.1.0.13

description == magnoquake internal =

object network NETWORK_OBJ_192.168.100.0_24

subnet 192.168.100.0 255.255.255.0

object network denver-ops

subnet 10.3.0.0 255.255.252.0

description == denver ops internal network ==

object network denver-corp

subnet 192.168.100.0 255.255.255.0

description == denver corporate ==

object network brawl.xxxxxx.local

host 10.1.0.6

description == brawl internal ==

object network c3750-vw

host 10.1.0.200

description == cisco 3750 switch ==

object network 98.116.xx.xx

host 98.116.xx.xx

description FTP access

object-group service http-https tcp

description == tcp ports 80 and 443 ==

port-object eq www

port-object eq https

object-group service http-alternate tcp

description == tcp port 8080 ==

port-object eq 8080

object-group service DM_INLINE_TCP_1 tcp

group-object http-alternate

group-object http-https

object-group service talend-ports tcp

description == tcp ports 8000, 8001 and 8888 ==

port-object eq 8000

port-object eq 8001

port-object eq 8888

object-group service DM_INLINE_TCP_2 tcp

port-object eq ftp

port-object eq ftp-data

object-group service passive-ftp tcp

description == tcp ports 55000 to 60000 for passive ftp ==

port-object range 1024 65535

object-group service DM_INLINE_SERVICE_1

service-object gre

service-object tcp destination eq pptp

access-list outside_access_in remark == permit all http access to jasper server ==

access-list outside_access_in extended permit tcp any object ccpwjb4reports001.xxxxxx.local object-group DM_INLINE_TCP_1

access-list outside_access_in remark == permit all access to cyberfrost on port 1723 and gre ip protocol 47 ==

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object cyberfrost.xxxxxx.local

access-list outside_access_in remark == permit all from denver corp full access to jasper server ==

access-list outside_access_in extended permit ip host 209.118.90.227 object ccpwjb4reports001.xxxxxx.local

access-list outside_access_in remark == permit all http access to magnoquake ==

access-list outside_access_in extended permit tcp any object magnoquake.xxxxxx.local object-group http-https

access-list outside_access_in remark == permit all http access to main xxxxxx website ==

access-list outside_access_in extended permit tcp any object electrospark.xxxxxx.local object-group http-https

access-list outside_access_in remark == permit all http access to main xxxxxx website ==

access-list outside_access_in extended permit tcp any object electrospark.xxxxxx.local object-group DM_INLINE_TCP_2

access-list outside_access_in extended permit ip object 98.116.172.191 object electrospark.xxxxxx.local

access-list outside_access_in remark == permit all ssh access to bi database ==

access-list outside_access_in extended permit tcp any object ccpwjb4db001.xxxxxx.local eq ssh

access-list outside_access_in remark == permit all from denver corp to bi4 ==

access-list outside_access_in extended permit ip host 209.118.90.227 object ccpwjb4bi001.xxxxxx.local

access-list outside_access_in remark == permit all ftp and ftp-data access to main xxxxxx web site ==

access-list outside_access_in extended permit udp any any eq domain

access-list outside_access_in remark == permit all ping packets ==

access-list outside_access_in extended permit icmp any any

access-list outside_access_in remark == catchall for logging ==

access-list outside_access_in extended deny ip any any

access-list outside_cryptomap extended permit ip 10.1.0.0 255.255.255.0 object slc-corp

access-list pnt_cryptomap extended permit ip object denver-viawest object slc-viawest

access-list outside_cryptomap_1 extended permit ip object denver-viawest object denver-ops

access-list outside_cryptomap_2 extended permit ip 10.1.0.0 255.255.255.0 object denver-corp

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu pnt 1500

mtu management 1500

ip verify reverse-path interface outside

no failover  

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

nat (any,any) source static denver-viawest denver-viawest destination static denver-ops denver-ops description == nat denver viawest to denver ops ==

nat (any,any) source static denver-viawest denver-viawest destination static slc-viawest slc-viawest description == nat denver viawest to slc viawest == (pending)

nat (any,any) source static denver-viawest denver-viawest destination static denver-corp denver-corp description == nat denver viawest to denver corporate ==

nat (any,any) source static denver-viawest denver-viawest destination static slc-corp slc-corp description == nat denver viawest to slc corp ==

nat (inside,outside) source static denver-viawest denver-viawest destination static slc-corp slc-corp no-proxy-arp route-lookup

nat (inside,pnt) source static denver-viawest denver-viawest destination static slc-viawest slc-viawest no-proxy-arp route-lookup

nat (inside,outside) source static denver-viawest denver-viawest destination static denver-ops denver-ops no-proxy-arp route-lookup

nat (inside,outside) source static denver-viawest denver-viawest destination static denver-corp denver-corp no-proxy-arp route-lookup

nat (inside,outside) source static slc-viawest slc-viawest destination static denver-viawest denver-viawest no-proxy-arp route-lookup

nat (inside,outside) source dynamic denver-viawest interface description === nat internal network to outside gateway interface ===

!

object network bonecrusher.xxxxxx.local

nat (any,any) static 216.38.xx.xx

object network ccpwjb4db001.xxxxxx.local

nat (any,any) static 216.38.xx.xx

object network ccpwjb4reports001.xxxxxx.local

nat (any,any) static 216.38.xx.xx

object network cyberfrost.xxxxxx.local

nat (any,any) static 216.38.xx.xx

object network vwpwjb1bak001.xxxxxx.local

nat (any,any) static 216.38.xx.xx

object network electrospark.xxxxxx.local

nat (any,any) static 216.38.xx.xx

object network magnoquake.xxxxxx.local

nat (any,any) static 216.38.xx.xx

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 216.38.xx.xx 1

route pnt 10.1.1.0 255.255.255.0 10.169.xx.xx 1

route pnt 10.169.48.112 255.255.255.248 10.169.xx.xx 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

http server enable

http 0.0.0.0 0.0.0.0 management

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer xxxxxx.com

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 2 match address outside_cryptomap_1

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer xxxxxx.com

crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 3 match address outside_cryptomap_2

crypto map outside_map 3 set peer xxxxxx.com

crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map outside_map 3 set ikev2 pre-shared-key *****

crypto map outside_map interface outside

crypto map pnt_map 1 match address pnt_cryptomap

crypto map pnt_map 1 set peer xxxxxx.com

crypto map pnt_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map pnt_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map pnt_map interface pnt

crypto isakmp identity hostname

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev2 enable pnt

crypto ikev1 enable outside

crypto ikev1 enable pnt

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha    

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha    

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha    

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha    

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 160

authentication pre-share

encryption aes

hash md5

group 5

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 30

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp authenticate

ntp server 198.60.22.240 source outside

ntp server 24.56.178.140 source outside prefer

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect pptp

  inspect dns

  inspect esmtp

  inspect h323 h225

  inspect h323 ras

  inspect icmp

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect sip 

  inspect skinny 

  inspect sqlnet

  inspect tftp

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:f342f2f5eb01030afdae7406e6db54ad

: end

denvwasa#

Re: Asymmetric NAT rules matched for forwarda and reverse flows

past config of the 3750

and

show ip route

show cdp nei

Beginner

Re: Asymmetric NAT rules matched for forwarda and reverse flows

Config for C3750G:

C3750-DENVW-01#sho run

Building configuration...

Current configuration : 4264 bytes

!

! Last configuration change at 16:30:09 UTC Mon Jul 30 2012 by kcox

! NVRAM config last updated at 16:01:59 UTC Mon Jul 30 2012 by kcox

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname C3750-DENVW-01

!

boot-start-marker

boot-end-marker

!

!

enable secret 5 $1$UAhv$cX6ByriVR0ngZmxxxxxxxxx

enable password 7 122E0F15002B0808793236786321xxxxxxx

!

username xxxxxx privilege 15 secret 5 $1$HMwG$X2o2pt0Y9EB8.qxxxxxxxxxx

aaa new-model

!

!

!

!

!

!

!

aaa session-id common

switch 1 provision ws-c3750g-48ts

system mtu routing 1500

ip domain-name wjbradley.com

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

ip ssh time-out 60

!

!

!

!

!

!

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q

switchport mode trunk

## connects to Cisco ASA 5510

!

interface GigabitEthernet1/0/2

switchport mode access

!

interface GigabitEthernet1/0/3

switchport mode access

!

interface GigabitEthernet1/0/4

switchport mode access

!

interface GigabitEthernet1/0/5

switchport mode access

!

interface GigabitEthernet1/0/6

switchport mode access

!

interface GigabitEthernet1/0/7

switchport mode access

speed 100

duplex full

!

interface GigabitEthernet1/0/8

switchport mode access

!

interface GigabitEthernet1/0/9

switchport mode access

!

interface GigabitEthernet1/0/10

switchport mode access

!

interface GigabitEthernet1/0/11

switchport mode access

!

interface GigabitEthernet1/0/12

switchport mode access

!

interface GigabitEthernet1/0/13

switchport mode access

!

interface GigabitEthernet1/0/14

switchport mode access

!

interface GigabitEthernet1/0/15

switchport mode access

!

interface GigabitEthernet1/0/16

switchport mode access

!

interface GigabitEthernet1/0/17

switchport mode access

!

interface GigabitEthernet1/0/18

switchport mode access

!

interface GigabitEthernet1/0/19

switchport mode access

!

interface GigabitEthernet1/0/20

switchport mode access

!

interface GigabitEthernet1/0/21

switchport mode access

!

interface GigabitEthernet1/0/22

switchport mode access

!

interface GigabitEthernet1/0/23

switchport mode access

!

interface GigabitEthernet1/0/24

switchport mode access

!

interface GigabitEthernet1/0/25

switchport mode access

!

interface GigabitEthernet1/0/26

switchport mode access

!

interface GigabitEthernet1/0/27

switchport mode access

!

interface GigabitEthernet1/0/28

switchport mode access

!

interface GigabitEthernet1/0/29

switchport mode access

!

interface GigabitEthernet1/0/30

switchport mode access

!

interface GigabitEthernet1/0/31

switchport mode access

!

interface GigabitEthernet1/0/32

switchport mode access

!

interface GigabitEthernet1/0/33

switchport mode access

!        

interface GigabitEthernet1/0/34

switchport mode access

!

interface GigabitEthernet1/0/35

switchport mode access

!

interface GigabitEthernet1/0/36

switchport mode access

!

interface GigabitEthernet1/0/37

switchport mode access

!

interface GigabitEthernet1/0/38

switchport mode access

!

interface GigabitEthernet1/0/39

switchport mode access

!

interface GigabitEthernet1/0/40

switchport mode access

!

interface GigabitEthernet1/0/41

switchport mode access

!

interface GigabitEthernet1/0/42

switchport mode access

!

interface GigabitEthernet1/0/43

switchport mode access

!

interface GigabitEthernet1/0/44

switchport mode access

!

interface GigabitEthernet1/0/45

switchport mode access

!

interface GigabitEthernet1/0/46

switchport mode access

!

interface GigabitEthernet1/0/47

switchport mode access

!

interface GigabitEthernet1/0/48

switchport mode access

!

interface GigabitEthernet1/0/49

!

interface GigabitEthernet1/0/50

!

interface GigabitEthernet1/0/51

!

interface GigabitEthernet1/0/52

!

interface Vlan1

ip address 10.1.0.200 255.255.255.0

!

ip default-gateway 10.1.0.1

no ip classless

ip http server

ip http secure-server

!

!

ip route 0.0.0.0 0.0.0.0 10.1.0.1

!

logging esm config

!

!

!

!

!

line con 0

line vty 0 4

password 7 0961411C175447xxxxxx

transport input telnet

line vty 5 15

password 7 0961411C1754470xxxxx

transport input telnet

!

ntp server 198.60.22.240

end

C3750-DENVW-01#

C3750-DENVW-01# sho ip route

Default gateway is 10.1.0.1

Host               Gateway           Last Use    Total Uses  Interface

ICMP redirect cache is empty

C3750-DENVW-01#

C3750-DENVW-01#sho cdp nei

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,

                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

C3750-DENVW-01#

Again, I don't think this is a switch issue. I am still seeing the asymmetric NAT issue on the firewall itself.  Two internal devices on the same switch are showing up in the syslog of the firewall itself;

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:10.1.0.8/1798 dstinside:10.1.0.14/25 denied due to NAT reverse path failure

Thanks in advance.

Kerry

Asymmetric NAT rules matched for forwarda and reverse flows

Hi Bro

RPF errors are typically NAT related. This type of RPF check must be configured on a per interface basis, which will cause the firewall to examine the source IP of each packet.

You could refer to this URL for further reference https://supportforums.cisco.com/thread/2051315

Warm regards,
Ramraj Sivagnanam Sivajanam
Highlighted
Beginner

Re: Asymmetric NAT rules matched for forwarda and reverse flows

Ramraj,

Thanks much for the link.  My issue is with servers internal to my network, BOTH being on the inside network. The switch config is just fine, so I do not understand why the error message is showing up in the firewall.  This is the same config I have on many other switches and the internal systems are having no issues talking to each other.  Just not certain why these NAT errors are showing up on the firewall.

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:10.1.0.8/1798 dst inside:10.1.0.14/25 denied due to NAT reverse path failure

Cisco Employee

Asymmetric NAT rules matched for forwarda and reverse flows

Based on the syslog the comunication goes from inside to inside (same-subnet) this traffic shouldn't be getting to the ASA since those to host are on the same subnet. The only reason this could be happening is due to proxy-arp, so you can disable proxy-arp on the NAT configuration (add the no-proxy-arp keyword) or disable proxy arp on the inside interface of the ASA (sysopt no-proxy-arp inside)

Luis Silva

Luis Silva
Beginner

Re: Asymmetric NAT rules matched for forwarda and reverse flows

Solved. 

Turns out that when you first set up NAT statements, i.e. inside IP is NAT'ed to an outside IP, the ASDM configures the NAT to be any,any.  This is not recommended with 8.4(4).

Here is a sample packet-tracer output showing this error:

denvwasa# packet-tracer input inside tcp 10.1.0.5 80 10.1.0.13 80 detailed

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.1.0.0        255.255.255.0   inside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xad86ba78, priority=3, domain=permit, deny=false

        hits=23793, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=inside

Phase: 3

Type: IP-OPTIONS

Subtype:     

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xad11e1a0, priority=0, domain=inspect-ip-options, deny=true

        hits=3730693, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

object network cyberfrost.wjbradley.local

nat (any,any) static 216.38.206.53

Additional Information:

Static translate 10.1.0.5/80 to 216.38.206.53/80

Forward Flow based lookup yields rule:

in  id=0xad1b00a0, priority=6, domain=nat, deny=false

        hits=18771, user_data=0xad1af770, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=10.1.0.5, mask=255.255.255.255, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=any, output_ifc=any

Phase: 5

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network magnoquake.wjbradley.local

nat (inside,outside) static 216.38.206.57

Additional Information:

Forward Flow based lookup yields rule:

out id=0xac8e31c0, priority=6, domain=nat-reverse, deny=false

        hits=10820, user_data=0xad1b8158, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=10.1.0.13, mask=255.255.255.255, port=0, dscp=0x0

        input_ifc=any, output_ifc=any

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Now, after going into the ASDM and configuring each NAT statement to be inside,outside under the NAT, Advanced tabs, then everything works fine and I no longer see the Asymmetric NAT or RPF error.

The packet tracer outside after changing the rule to inside,outside.

denvwasa# packet-tracer input inside tcp 10.1.0.5 80 10.1.0.13 80 detailed

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.1.0.0        255.255.255.0   inside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xad86ba78, priority=3, domain=permit, deny=false

        hits=23913, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=inside

Phase: 3

Type: IP-OPTIONS

Subtype:     

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xad11e1a0, priority=0, domain=inspect-ip-options, deny=true

        hits=3733735, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xad11e1a0, priority=0, domain=inspect-ip-options, deny=true

        hits=3733737, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 5     

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 4326030, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow