Hi all. This is complicated, I'll try to explain succinctly.
I have an ASA that is one end of an IPSEC tunnel. The IPSEC tunnel dumps traffic off onto the ASA, but instead of forwarding to the next hop, we see a log entry like the following:
Mar 7 19:54:12 220.127.116.11 Mar 8 00:54:12 %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:172.28.253.1/8080 dst inside:10.20.161.33/8080 denied due to NAT reverse path failure
When I run a packet trace, the trace stops on an RPF check:
nat (inside) 0 0.0.0.0 0.0.0.0
match ip inside any outside any
no translation group, implicit deny
policy_hits = 3242
Forward Flow based lookup yields rule:
out id=0x24305f50, priority=0, domain=nat-reverse, deny=false
Normally I would look at where the trace stopped and figure out the problem from there, in this case, the 'nat (inside) 0 0.0.0.0 0.0.0.0' statement; only problem is that statement doesn't show up in the config. Here are my actual NAT statements:
The access list 'nonat-outside-to-inside' has one relevant line concerning this specific traffic:
access-list nonat-outside-to-inside line 11 extended permit ip 172.28.253.0 255.255.255.0 10.20.0.0 255.255.0.0 (hitcnt=0) 0xcba8a793
And access-list nonat-inside-to-outside has nothing that matches both the source and destination.
So, I don't actually have a statement that matches the error shown in the packet trace. I'm kind of stuck. From my reading of the rpf literature, I guess its an anti-spoofing feature, which leads me to believe that the firewall is sending the traffic back into itself instead of forwarding it on to the next hop, and the RPF check says, nope, you already tried to send that thru me, so I'm going to kill it. Which it should -- but why isn't it forwarding it out to the legitimate next hop? Its like the traffic is getting lost in the middle of the firewall, and I'm thinking -- BUG!
I'm kind of at a loss and considering opening a TAC case.
Community Live Event Video
Are you ready to level up your security? Learn more about how Cisco SecureX can help you simplify your security and maximize operational efficiency.
This event talks about Cisco SecureX, its benefits, features, and usage. Th...
Hi all,I cannot understand why is something working very well they create a way to complicate things in Cisco ASA OS. I have a rule :object network LOCAL_ADRESS1 host 192.168.20.12 nat (VLAN20,outside) source static LOCAL_ADRESS1 interface&...
It is our pleasure to officially announce the finalists in the 2021 IT Blog Awards. We are now looking to our amazing tech community to check out the amazing line up of bloggers, vloggers and podcasters. Make sure to vote for your favorites...
Community Live Event Slides
This event talks about Cisco SecureX, its benefits, features, and usage. The session includes sample use cases and live demonstrations.
Cisco expert Luis Silva talks about how this solution can integrate Cisco technology and ...
Hello All, Recently I got an opportunity to perform POC with Cisco ISE (2.7 Patch 4) and Aruba Wireless AP (IAP) to perform 802.1x EAP-FAST (machine + user) authentication followed by Posture Assessment on Windows 10 Machines (installed with AnyConnect 4....