12-11-2018 03:08 PM
Hi All,
I am having an issue with my Azure subnets (10.210.0.0/16, 10.211.0.0/16) being able to access my prem subnets over a S2S VPN tunnel. So currently everything is work fine from my inside internal range (10.1.1.0/24). As an example when I try to access say ports 88,53,389 etc from the Azure controllers (10.211.20.10, 10.211.20.11) to the Prem Controller (10.1.1.159) it is fine, but when I try to access them from the same Azure controllers to say another local controller 10.1.90.14 I get the following error in the log:
Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.211.20.11/57160 dst ED:10.1.90.14/53 denied due to NAT reverse path failure.
Now this is the current NAT:
nat (inside,outside) source static OnPremisesNetworks OnPremisesNetworks destination static Azure-Networks Azure-Networks no-proxy-arp route-lookup
The OnPremisesNetworks group object has the inside networks (10.1.1.0/24, 10.1.60.0/24) and the Azure-Networks has the (10.211.0.0/16, 10.210.0.0/16) Networks.
Now think this might be related to the ED subnet 10.1.90.0/24 residing on another interface:
interface GigabitEthernet0/2.414
description ED
vlan 414
nameif ED
security-level 100
ip address 10.1.90.254 255.255.255.0
where the inside interface is:
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.1.1.142 255.255.255.0
So my question is how to resolve that Asymmetric NAT issue?? What would be the correct NAT'ing for my situation.
Thanks in advance.
Solved! Go to Solution.
12-14-2018 11:08 AM
12-11-2018 03:34 PM
Hello,
so why is 10.1.90.0/24 not included in your inside,outside nat statement if you are using it?
what happens if you add it?
also did you run the packet tracer tool to simulate the packet flow?
thanks
12-11-2018 03:43 PM - edited 12-11-2018 03:46 PM
Hi Dennis,
Sorry, I should have put that.. it is in the Onprem group object. When I do the packet trace from the inside interface it works fine.. but when I do it from the outside interface which is where the Azure sub is coming from via the S2S VPN tunnel it gets all the way through to VPN Lookup and drops: error is: Subtype - IPsec-tunnel-flow action: drop.
12-14-2018 11:08 AM
12-11-2018 03:46 PM
Hello,
so why is 10.1.90.0/24 not included in your inside,outside nat statement if you are using it?
what happens if you add it?
also did you run the packet tracer tool to simulate the packet flow?
thanks
12-12-2018 08:25 AM
I'm still getting this error:
Any ideas?
Tks in advance.
12-13-2018 08:38 AM
Hey Dennis,
Here is some more logs...
FILTER:srcIP=10.211.20.10;dstIP=10.1.90.14;
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse
flows; Connection protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dst_address/dst_port [(idfw_user)] denied due to
NAT reverse path failure.
When not on the same interface as the host using NAT, use the mapped address instead of the actual address to connect to the host. In addition, enable the inspect command if the application embeds the IP address.
Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.211.20.10/57160 dst ED:10.1.90.14/53 denied due to NAT reverse path failure
Any ideas?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide