cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2329
Views
0
Helpful
10
Replies

NAT reverse path failure

reaven
Level 1
Level 1

I have a wan router(70.70.70.129) from where I need to access a syslog server on inside with its real ip address(192.168.1.192).

 

I have setup an access list on outside int:

access-list outside_acl extended permit udp host 70.70.70.129 host 192.168.1.192 eq syslog

 

with this so far I get the Nat reverse path failure

now if I add a nat rule:

inside outside 192.168.1.192 any any 192.168.1.192

everything works except the syslog server loose access to internet, I am confuse in what I need to add to enable both, access to internet and access to the server via its private ip address.

1 Accepted Solution

Accepted Solutions

@Francesco Molino @reaven 

 

I have lab this up. .

!

object network SYS-LOG

 host 10.10.1.192

 nat (inside,outside) source static interface service 514 514

!

access-list outside_acl extended permit udp host 1.1.1.129 host 10.10.1.192 eq syslog

access-list outside_acl in interface outside

!

packet tracer input outside udp 1.1.1.129 12345 1.1.1.30 514

 

please do not forget to rate.

View solution in original post

10 Replies 10

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

Can you share your config please?

 

I would remove the nat you put in place and change to something like:

 

Object network SYSLOG-SRV

 host 192.168.1.192

 nat (inside, outside) static 70.70.70.129 service udp 514 514

 

Also when you’ve done this, please run a packet-tracer and paste the output:

 

packet-tracer input outside udp 8.8.8.8 1234 70.70.70.129 514

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

would be great if you could share the config of your firewall. mean time please have look on this config.

 

object network syslog_server
host 192.168.1.192
!
nat (inside,outside) static interface
!
access-list outside_acl extended permit udp any host 192.168.1.192 eq 514
!
access-group outside_acl in interface outside

please do not forget to rate.

Hi thank for your answers, I am trying to sanitized the config since is very extend and I dont have permission to post it in its entirely.

Meanwhile whats the nat (inside,outside) static interface does, its missing something ? whats the difference from the one I have nat (inside,outside) static 192.168.1.192 no-proxy-arp

Hi

 

the below rule,

nat (inside,outside) static interface

if traffic coming from inside interface and going toward outside network use the outside interface ip address (i.e 82.1.5.4).

 

Now coming to your nat rule

nat (inside,outside) static 192.168.1.192 no-proxy-arp

 

you saying if traffic coming from inside and going toward outside network use address 192.168.1.192. in this case address 192.168.1.192 is your inside address and this address cant be routed out due to RFC 1918.

 

 

 

now you have two choices,

 

 

Step 1.

=====

Object network syslog_server

 host 192.168.1.192

nat (inside, outside) static 70.70.70.129 service udp 514 514

access-list outside_acl extended permit udp any host 192.168.1.192 eq 514
access-group outside_acl in interface outside

 

(Note. if you need to access the syslog server from outside than you need to define the ACL as i mentioned)

 

OR

 

Step2

====

object network syslog_server
host 192.168.1.192
!
nat (inside,outside) static interface

access-list outside_acl extended permit udp any host 192.168.1.192 eq 514
access-group outside_acl in interface outside

 

(Note. if you need to access the syslog server from outside than you need to define the ACL as i mentioned)

 

now I do not know what is your public ip address. so you can use the command nat (in,out) static interface. this will use your firewall outside interface ip address. the choice is yours.

 

please do not forget to rate.

this have been given to me very redacted/"sanitized".

 

my syslog server = mon002 = 10.10.1.192

my wan router is connected to my outside interface with ip 1.1.1.129

 

I need for my wan router to access my syslog server, there is an ip route in my wan router to route traffic destined to 10.10.1.192 through 1.1.1.130 

 

hostname Firewall
!
interface Ethernet0/0
 speed 1000
 duplex full
 nameif outside
 security-level 0
 ip address 1.1.1.130 255.255.255.224 
!
interface Ethernet0/1
 speed 1000
 duplex full
 nameif inside
 security-level 100
 ip address 10.10.8.1 255.255.255.0 
!
access-list outside_acl extended permit udp host 1.1.1.129 host 10.10.1.192 eq syslog  
arp timeout 14400
no arp permit-nonconnected
!
object network obj-10.10.1.0
 nat (inside,outside) dynamic og_global_outside-1
 nat (aruba,outside) dynamic og_global_outside-1
object network ob-10.10.1.192
 nat (inside,outside) static 10.10.1.192 no-proxy-arp
access-group outside_acl in interface outside
access-group inside_acl in interface inside
access-group bppr_acl in interface bppr
access-group aruba_access_in in interface aruba
route outside 0.0.0.0 0.0.0.0 1.1.1.129 1 
http server enable
snmp-server host inside 10.10.1.192 community public version 2c
no snmp-server location
no snmp-server contact
snmp-server community public
sysopt connection tcpmss 1460


object network mon001
host 10.10.1.192
description PRTG monitoring
nat (inside,outside) static interface
!
access-list outside_acl extended permit udp host any host 10.10.1.192 eq syslog
(or)
access-list outside_acl extended permit udp host 1.1.1.129 host 10.10.1.192 eq syslog
!
access-group outside_acl in interface outside
!
packet-tracer input outside udp 1.1.1.129 1234 1.1.1.129 syslog

 

 

or if you like you can move your nat rule into section 1.

 

nat (inside,outside) source static mon001 interface

!

access-list outside_acl extended permit udp host 1.1.1.129 host 10.10.1.192 eq syslog
!
access-group outside_acl in interface outside
!
packet-tracer input outside udp 1.1.1.129 1234 1.1.1.129 syslog

please do not forget to rate.

when enable the nat rule, what  the below error really means is all traffic from 10.10.1.192 ?

 

nat (inside,outside) source static ms001mon002 interface
WARNING: All traffic destined to the IP address of the outside interface is bein g redirected.
WARNING: Users may not be able to access any service enabled on the outside inte rface.

 

anyways am still getting the error

ASA-5-305013: Asymmetric NAT rules matched for forward and reverse
flows; Connection for udp src outside 1.1.1.129 dst inside 10.10.1.192/514 denied due to NAT reverse path failure.

Your monitor tool has ip 10.10.1.192, am i right?

When you're adding the nat be careful because you have a nat in top position which is nating the subnet 10.10.1.0.

Then put the nat statement i gave before this nat.

Also, you have at the end a nat with any any interface which isn't following best practices. Replace any any by the correct source and destination interface name.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

@Francesco Molino @reaven 

 

I have lab this up. .

!

object network SYS-LOG

 host 10.10.1.192

 nat (inside,outside) source static interface service 514 514

!

access-list outside_acl extended permit udp host 1.1.1.129 host 10.10.1.192 eq syslog

access-list outside_acl in interface outside

!

packet tracer input outside udp 1.1.1.129 12345 1.1.1.30 514

 

please do not forget to rate.

@Sheraz.Salim @Francesco Molino 

 

First thansk for the support, help and patience.

 

reading your suggestions I realized my error, In the NAT rule I had created I leave any instead of specifying the port 514

 

now internet on the monitoring tool and the syslog are working !!!

 

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: