Solved: Re: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside denie...

virtuali1151 · ‎12-11-2018

Hi All,

I am having an issue with my Azure subnets (10.210.0.0/16, 10.211.0.0/16) being able to access my prem subnets over a S2S VPN tunnel. So currently everything is work fine from my inside internal range (10.1.1.0/24). As an example when I try to access say ports 88,53,389 etc from the Azure controllers (10.211.20.10, 10.211.20.11) to the Prem Controller (10.1.1.159) it is fine, but when I try to access them from the same Azure controllers to say another local controller 10.1.90.14 I get the following error in the log:

Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.211.20.11/57160 dst ED:10.1.90.14/53 denied due to NAT reverse path failure.

Now this is the current NAT:

nat (inside,outside) source static OnPremisesNetworks OnPremisesNetworks destination static Azure-Networks Azure-Networks no-proxy-arp route-lookup

The OnPremisesNetworks group object has the inside networks (10.1.1.0/24, 10.1.60.0/24) and the Azure-Networks has the (10.211.0.0/16, 10.210.0.0/16) Networks.

Now think this might be related to the ED subnet 10.1.90.0/24 residing on another interface:

interface GigabitEthernet0/2.414
description ED
vlan 414
nameif ED
security-level 100
ip address 10.1.90.254 255.255.255.0

where the inside interface is:

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.142 255.255.255.0

So my question is how to resolve that Asymmetric NAT issue?? What would be the correct NAT'ing for my situation.

Thanks in advance.

virtuali1151 · ‎12-14-2018

I had to change my interfaces to ANY/ANY and apply applicable subnets. This had to be done because of the multiple interfaces the traffic is going on.

View solution in original post

Dennis Mink · ‎12-11-2018

Hello,

so why is 10.1.90.0/24 not included in your inside,outside nat statement if you are using it?

what happens if you add it?

also did you run the packet tracer tool to simulate the packet flow?

thanks

Please remember to rate useful posts, by clicking on the stars below.

virtuali1151 · ‎12-11-2018

Hi Dennis,

Sorry, I should have put that.. it is in the Onprem group object. When I do the packet trace from the inside interface it works fine.. but when I do it from the outside interface which is where the Azure sub is coming from via the S2S VPN tunnel it gets all the way through to VPN Lookup and drops: error is: Subtype - IPsec-tunnel-flow action: drop.

virtuali1151 · ‎12-14-2018

I had to change my interfaces to ANY/ANY and apply applicable subnets. This had to be done because of the multiple interfaces the traffic is going on.

Dennis Mink · ‎12-11-2018

Hello,

so why is 10.1.90.0/24 not included in your inside,outside nat statement if you are using it?

what happens if you add it?

also did you run the packet tracer tool to simulate the packet flow?

thanks

Please remember to rate useful posts, by clicking on the stars below.

virtuali1151 · ‎12-12-2018

I'm still getting this error:

Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside denied due to NAT reverse path failure.

Any ideas?

Tks in advance.

virtuali1151 · ‎12-13-2018

Hey Dennis,

Here is some more logs...

FILTER:srcIP=10.211.20.10;dstIP=10.1.90.14;

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse
flows; Connection protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dst_address/dst_port [(idfw_user)] denied due to
NAT reverse path failure.

When not on the same interface as the host using NAT, use the mapped address instead of the actual address to connect to the host. In addition, enable the inspect command if the application embeds the IP address.

Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.211.20.10/57160 dst ED:10.1.90.14/53 denied due to NAT reverse path failure

Any ideas?