07-30-2012 03:25 PM - edited 03-11-2019 04:36 PM
I am seeing the following error on my Cisco ASA 5510 running 8.4(4):
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:10.1.0.8/1798 dst inside:10.1.0.14/25 denied due to NAT reverse path failure |
Doing research I see there are plenty of nonat statements regarding connecting from one interface to another, but why am I seeing this error on the same interface.
All our servers are connected via a Cisco 3750G switch with a very basic config. Why is the firewall interjecting itself and causing these issues?
Any suggestions would be most appreciated.
Kerry
07-30-2012 03:44 PM
subnet mask mismatch?
07-30-2012 04:07 PM
No subnet mask mismatch, as far as I can tell.
Here is the "sho run": I have sanitized it as best I can.
ciscoasa# sho run
: Saved
:
ASA Version 8.4(4)
!
hostname ciscoasa
domain-name xxxxxx.com
enable password Gy7ZIY.vaWRxxxxx encrypted
passwd 2KFQnbNIdI.xxxxxx encrypted
names
!
interface Ethernet0/0
description === WAN Interface ===
speed 100
duplex full
nameif outside
security-level 0
ip address 216.38.xx.xx 255.255.255.240
!
interface Ethernet0/1
description === LAN Interface ===
nameif inside
security-level 100
ip address 10.1.0.1 255.255.255.0
!
interface Ethernet0/2
description === PNT to SLC ViaWest ===
speed 10
duplex full
nameif pnt
security-level 100
ip address 10.169.xx.xx 255.255.255.248
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description === Management Interface ===
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa844-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 10.1.0.5
name-server 10.1.1.16
name-server 8.8.8.8
domain-name xxxxxxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 10.1.0.2
host 10.1.0.2
object network 10.1.0.22
host 10.1.0.22
object network 10.1.0.41
host 10.1.0.41
object network 10.1.0.86
host 10.1.0.86
object network bonecrusher.xxxxxx.local
host 10.1.0.12
description == bonecrusher internal ==
object network ccpwjb4bak001.xxxxxx.local
host 10.1.0.40
object network ccpwjb4bi001.xxxxxx.local
host 10.1.0.8
description == ccpwjb4bi001 internal ==
object network ccpwjb4db001.xxxxxx.local
host 10.1.0.10
description == bi database internal ==
object network ccpwjb4.xxxxxx.local
host 10.1.0.11
description == bi jasper internal ==
object network denver-viawest
subnet 10.1.0.0 255.255.255.0
description == Denver ViaWest Internal Network ==
object network cyberfrost.xxxxxx.local
host 10.1.0.5
description == cyberfrost internal ==
object network vwpwjb1bak001.xxxxxx.local
host 10.1.0.9
description == vwpwjb1bak001 internal ==
object network electrospark.xxxxxx.local
host 10.1.0.14
description == electrospark internal ==
object network NETWORK_OBJ_10.1.0.0_24
subnet 10.1.0.0 255.255.255.0
object network NETWORK_OBJ_10.10.0.0_20
subnet 10.10.0.0 255.255.240.0
object network slc-corp
subnet 10.10.0.0 255.255.240.0
description == slc corp internal network ==
object network slc-viawest
subnet 10.1.1.0 255.255.255.0
description == slc viawest internal network ==
object network NETWORK_OBJ_10.3.0.0_22
subnet 10.3.0.0 255.255.252.0
object network magnoquake.xxxxxx.local
host 10.1.0.13
description == magnoquake internal =
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network denver-ops
subnet 10.3.0.0 255.255.252.0
description == denver ops internal network ==
object network denver-corp
subnet 192.168.100.0 255.255.255.0
description == denver corporate ==
object network brawl.xxxxxx.local
host 10.1.0.6
description == brawl internal ==
object network c3750-vw
host 10.1.0.200
description == cisco 3750 switch ==
object network 98.116.xx.xx
host 98.116.xx.xx
description FTP access
object-group service http-https tcp
description == tcp ports 80 and 443 ==
port-object eq www
port-object eq https
object-group service http-alternate tcp
description == tcp port 8080 ==
port-object eq 8080
object-group service DM_INLINE_TCP_1 tcp
group-object http-alternate
group-object http-https
object-group service talend-ports tcp
description == tcp ports 8000, 8001 and 8888 ==
port-object eq 8000
port-object eq 8001
port-object eq 8888
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
object-group service passive-ftp tcp
description == tcp ports 55000 to 60000 for passive ftp ==
port-object range 1024 65535
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp destination eq pptp
access-list outside_access_in remark == permit all http access to jasper server ==
access-list outside_access_in extended permit tcp any object ccpwjb4reports001.xxxxxx.local object-group DM_INLINE_TCP_1
access-list outside_access_in remark == permit all access to cyberfrost on port 1723 and gre ip protocol 47 ==
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object cyberfrost.xxxxxx.local
access-list outside_access_in remark == permit all from denver corp full access to jasper server ==
access-list outside_access_in extended permit ip host 209.118.90.227 object ccpwjb4reports001.xxxxxx.local
access-list outside_access_in remark == permit all http access to magnoquake ==
access-list outside_access_in extended permit tcp any object magnoquake.xxxxxx.local object-group http-https
access-list outside_access_in remark == permit all http access to main xxxxxx website ==
access-list outside_access_in extended permit tcp any object electrospark.xxxxxx.local object-group http-https
access-list outside_access_in remark == permit all http access to main xxxxxx website ==
access-list outside_access_in extended permit tcp any object electrospark.xxxxxx.local object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit ip object 98.116.172.191 object electrospark.xxxxxx.local
access-list outside_access_in remark == permit all ssh access to bi database ==
access-list outside_access_in extended permit tcp any object ccpwjb4db001.xxxxxx.local eq ssh
access-list outside_access_in remark == permit all from denver corp to bi4 ==
access-list outside_access_in extended permit ip host 209.118.90.227 object ccpwjb4bi001.xxxxxx.local
access-list outside_access_in remark == permit all ftp and ftp-data access to main xxxxxx web site ==
access-list outside_access_in extended permit udp any any eq domain
access-list outside_access_in remark == permit all ping packets ==
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark == catchall for logging ==
access-list outside_access_in extended deny ip any any
access-list outside_cryptomap extended permit ip 10.1.0.0 255.255.255.0 object slc-corp
access-list pnt_cryptomap extended permit ip object denver-viawest object slc-viawest
access-list outside_cryptomap_1 extended permit ip object denver-viawest object denver-ops
access-list outside_cryptomap_2 extended permit ip 10.1.0.0 255.255.255.0 object denver-corp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu pnt 1500
mtu management 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (any,any) source static denver-viawest denver-viawest destination static denver-ops denver-ops description == nat denver viawest to denver ops ==
nat (any,any) source static denver-viawest denver-viawest destination static slc-viawest slc-viawest description == nat denver viawest to slc viawest == (pending)
nat (any,any) source static denver-viawest denver-viawest destination static denver-corp denver-corp description == nat denver viawest to denver corporate ==
nat (any,any) source static denver-viawest denver-viawest destination static slc-corp slc-corp description == nat denver viawest to slc corp ==
nat (inside,outside) source static denver-viawest denver-viawest destination static slc-corp slc-corp no-proxy-arp route-lookup
nat (inside,pnt) source static denver-viawest denver-viawest destination static slc-viawest slc-viawest no-proxy-arp route-lookup
nat (inside,outside) source static denver-viawest denver-viawest destination static denver-ops denver-ops no-proxy-arp route-lookup
nat (inside,outside) source static denver-viawest denver-viawest destination static denver-corp denver-corp no-proxy-arp route-lookup
nat (inside,outside) source static slc-viawest slc-viawest destination static denver-viawest denver-viawest no-proxy-arp route-lookup
nat (inside,outside) source dynamic denver-viawest interface description === nat internal network to outside gateway interface ===
!
object network bonecrusher.xxxxxx.local
nat (any,any) static 216.38.xx.xx
object network ccpwjb4db001.xxxxxx.local
nat (any,any) static 216.38.xx.xx
object network ccpwjb4reports001.xxxxxx.local
nat (any,any) static 216.38.xx.xx
object network cyberfrost.xxxxxx.local
nat (any,any) static 216.38.xx.xx
object network vwpwjb1bak001.xxxxxx.local
nat (any,any) static 216.38.xx.xx
object network electrospark.xxxxxx.local
nat (any,any) static 216.38.xx.xx
object network magnoquake.xxxxxx.local
nat (any,any) static 216.38.xx.xx
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.38.xx.xx 1
route pnt 10.1.1.0 255.255.255.0 10.169.xx.xx 1
route pnt 10.169.48.112 255.255.255.248 10.169.xx.xx 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer xxxxxx.com
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer xxxxxx.com
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer xxxxxx.com
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 3 set ikev2 pre-shared-key *****
crypto map outside_map interface outside
crypto map pnt_map 1 match address pnt_cryptomap
crypto map pnt_map 1 set peer xxxxxx.com
crypto map pnt_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map pnt_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map pnt_map interface pnt
crypto isakmp identity hostname
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable pnt
crypto ikev1 enable outside
crypto ikev1 enable pnt
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 160
authentication pre-share
encryption aes
hash md5
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 198.60.22.240 source outside
ntp server 24.56.178.140 source outside prefer
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect pptp
inspect dns
inspect esmtp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect tftp
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f342f2f5eb01030afdae7406e6db54ad
: end
denvwasa#
07-30-2012 05:34 PM
past config of the 3750
and
show ip route
show cdp nei
07-31-2012 06:23 AM
Config for C3750G:
C3750-DENVW-01#sho run
Building configuration...
Current configuration : 4264 bytes
!
! Last configuration change at 16:30:09 UTC Mon Jul 30 2012 by kcox
! NVRAM config last updated at 16:01:59 UTC Mon Jul 30 2012 by kcox
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname C3750-DENVW-01
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$UAhv$cX6ByriVR0ngZmxxxxxxxxx
enable password 7 122E0F15002B0808793236786321xxxxxxx
!
username xxxxxx privilege 15 secret 5 $1$HMwG$X2o2pt0Y9EB8.qxxxxxxxxxx
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
switch 1 provision ws-c3750g-48ts
system mtu routing 1500
ip domain-name wjbradley.com
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh time-out 60
!
!
!
!
!
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
## connects to Cisco ASA 5510
!
interface GigabitEthernet1/0/2
switchport mode access
!
interface GigabitEthernet1/0/3
switchport mode access
!
interface GigabitEthernet1/0/4
switchport mode access
!
interface GigabitEthernet1/0/5
switchport mode access
!
interface GigabitEthernet1/0/6
switchport mode access
!
interface GigabitEthernet1/0/7
switchport mode access
speed 100
duplex full
!
interface GigabitEthernet1/0/8
switchport mode access
!
interface GigabitEthernet1/0/9
switchport mode access
!
interface GigabitEthernet1/0/10
switchport mode access
!
interface GigabitEthernet1/0/11
switchport mode access
!
interface GigabitEthernet1/0/12
switchport mode access
!
interface GigabitEthernet1/0/13
switchport mode access
!
interface GigabitEthernet1/0/14
switchport mode access
!
interface GigabitEthernet1/0/15
switchport mode access
!
interface GigabitEthernet1/0/16
switchport mode access
!
interface GigabitEthernet1/0/17
switchport mode access
!
interface GigabitEthernet1/0/18
switchport mode access
!
interface GigabitEthernet1/0/19
switchport mode access
!
interface GigabitEthernet1/0/20
switchport mode access
!
interface GigabitEthernet1/0/21
switchport mode access
!
interface GigabitEthernet1/0/22
switchport mode access
!
interface GigabitEthernet1/0/23
switchport mode access
!
interface GigabitEthernet1/0/24
switchport mode access
!
interface GigabitEthernet1/0/25
switchport mode access
!
interface GigabitEthernet1/0/26
switchport mode access
!
interface GigabitEthernet1/0/27
switchport mode access
!
interface GigabitEthernet1/0/28
switchport mode access
!
interface GigabitEthernet1/0/29
switchport mode access
!
interface GigabitEthernet1/0/30
switchport mode access
!
interface GigabitEthernet1/0/31
switchport mode access
!
interface GigabitEthernet1/0/32
switchport mode access
!
interface GigabitEthernet1/0/33
switchport mode access
!
interface GigabitEthernet1/0/34
switchport mode access
!
interface GigabitEthernet1/0/35
switchport mode access
!
interface GigabitEthernet1/0/36
switchport mode access
!
interface GigabitEthernet1/0/37
switchport mode access
!
interface GigabitEthernet1/0/38
switchport mode access
!
interface GigabitEthernet1/0/39
switchport mode access
!
interface GigabitEthernet1/0/40
switchport mode access
!
interface GigabitEthernet1/0/41
switchport mode access
!
interface GigabitEthernet1/0/42
switchport mode access
!
interface GigabitEthernet1/0/43
switchport mode access
!
interface GigabitEthernet1/0/44
switchport mode access
!
interface GigabitEthernet1/0/45
switchport mode access
!
interface GigabitEthernet1/0/46
switchport mode access
!
interface GigabitEthernet1/0/47
switchport mode access
!
interface GigabitEthernet1/0/48
switchport mode access
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
ip address 10.1.0.200 255.255.255.0
!
ip default-gateway 10.1.0.1
no ip classless
ip http server
ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 10.1.0.1
!
logging esm config
!
!
!
!
!
line con 0
line vty 0 4
password 7 0961411C175447xxxxxx
transport input telnet
line vty 5 15
password 7 0961411C1754470xxxxx
transport input telnet
!
ntp server 198.60.22.240
end
C3750-DENVW-01#
C3750-DENVW-01# sho ip route
Default gateway is 10.1.0.1
Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty
C3750-DENVW-01#
C3750-DENVW-01#sho cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
C3750-DENVW-01#
Again, I don't think this is a switch issue. I am still seeing the asymmetric NAT issue on the firewall itself. Two internal devices on the same switch are showing up in the syslog of the firewall itself;
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:10.1.0.8/1798 dstinside:10.1.0.14/25 denied due to NAT reverse path failure
Thanks in advance.
Kerry
07-31-2012 06:50 AM
Hi Bro
RPF errors are typically NAT related. This type of RPF check must be configured on a per interface basis, which will cause the firewall to examine the source IP of each packet.
You could refer to this URL for further reference https://supportforums.cisco.com/thread/2051315
07-31-2012 07:11 AM
Ramraj,
Thanks much for the link. My issue is with servers internal to my network, BOTH being on the inside network. The switch config is just fine, so I do not understand why the error message is showing up in the firewall. This is the same config I have on many other switches and the internal systems are having no issues talking to each other. Just not certain why these NAT errors are showing up on the firewall.
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:10.1.0.8/1798 dst inside:10.1.0.14/25 denied due to NAT reverse path failure
07-31-2012 07:27 AM
Based on the syslog the comunication goes from inside to inside (same-subnet) this traffic shouldn't be getting to the ASA since those to host are on the same subnet. The only reason this could be happening is due to proxy-arp, so you can disable proxy-arp on the NAT configuration (add the no-proxy-arp keyword) or disable proxy arp on the inside interface of the ASA (sysopt no-proxy-arp inside)
Luis Silva
07-31-2012 07:47 AM
Solved.
Turns out that when you first set up NAT statements, i.e. inside IP is NAT'ed to an outside IP, the ASDM configures the NAT to be any,any. This is not recommended with 8.4(4).
Here is a sample packet-tracer output showing this error:
denvwasa# packet-tracer input inside tcp 10.1.0.5 80 10.1.0.13 80 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.0.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad86ba78, priority=3, domain=permit, deny=false
hits=23793, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=inside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad11e1a0, priority=0, domain=inspect-ip-options, deny=true
hits=3730693, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network cyberfrost.wjbradley.local
nat (any,any) static 216.38.206.53
Additional Information:
Static translate 10.1.0.5/80 to 216.38.206.53/80
Forward Flow based lookup yields rule:
in id=0xad1b00a0, priority=6, domain=nat, deny=false
hits=18771, user_data=0xad1af770, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.1.0.5, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network magnoquake.wjbradley.local
nat (inside,outside) static 216.38.206.57
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac8e31c0, priority=6, domain=nat-reverse, deny=false
hits=10820, user_data=0xad1b8158, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=10.1.0.13, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=any, output_ifc=any
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Now, after going into the ASDM and configuring each NAT statement to be inside,outside under the NAT, Advanced tabs, then everything works fine and I no longer see the Asymmetric NAT or RPF error.
The packet tracer outside after changing the rule to inside,outside.
denvwasa# packet-tracer input inside tcp 10.1.0.5 80 10.1.0.13 80 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.0.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad86ba78, priority=3, domain=permit, deny=false
hits=23913, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=inside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad11e1a0, priority=0, domain=inspect-ip-options, deny=true
hits=3733735, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xad11e1a0, priority=0, domain=inspect-ip-options, deny=true
hits=3733737, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4326030, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide