Solved: ASA NAT/ACL rule

mdafforn · ‎02-20-2015

Hello,

I have a couple of servers setting in a DMZ, and communications sourced from the internal network are working correctly.

When we try to back them up, though, the backup agent on the machine has to initiate the communication, and it fails.

Inbound TCP connection denied from 192.168.99.36/64536 to 10.2.2.91/2546 flags SYN on interface dmz

I have tried setting up a static nat from the inside to the DMZ for the backup server, adding an access list:

access-list dmz extended permit ip host 192.168.99.36 host 10.2.2.91

(will be tightened later when comms work)

access-group dmz in interface dmz

when I do that, I get the error:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src dmz:192.168.99.36/64592 dst inside:10.2.2.91/807 denied due to NAT reverse path failure\n

I know I've got some kind of NAT problem, but I just do not have enough experience with the new NAT rules to figure it out.

Thanks for any help.

guibarati · ‎02-23-2015

object network obj_any
nat (inside,dmz) dynamic interface

this seems to be the problem.

When the DMZ server connects to the inside, on it's way back the inside server will be NATed because of this rule.

Try creating a nat exempt for the traffic from that specific inside server to that dmz server

nat (inside,dmz) source static obj-10.2.2.91 obj-10.2.2.91 desti obj-192.168.99.36 obj-192.168.99.36

(need to create the objects first)

View solution in original post

guibarati · ‎02-20-2015

use the packet tracer command to see what NAT rule it's using.

This message means that the packet would be NATed on one way and not NATed on the other way.

Share the NAT configuration if you can.

mdafforn · ‎02-23-2015

I do not have asdm installed at this point, I may try to do that later.

current NAT entries:

nat (inside,any) source static obj-10.2.2.0 obj-10.2.2.0 destination static obj-172.16.0.0 obj-172.16.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.254.0.0 obj-10.254.0.0 destination static obj-172.16.0.0 obj-172.16.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-172.16.0.0 obj-172.16.0.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-1.2.3.36 obj-1.2.3.36 destination static obj-2.3.4.112 obj-2.3.4.112 no-proxy-arp route-lookup
nat (inside,any) source static obj-1.2.3.36 obj-1.2.3.36 destination static obj-3.4.5.112 obj-3.4.5.112 no-proxy-arp route-lookup
nat (inside,any) source static obj-1.2.3.36 obj-1.2.3.36 destination static obj-4.5.6.112 obj-4.5.6.112 no-proxy-arp route-lookup
nat (inside,any) source static obj-1.2.3.36 obj-1.2.3.36 destination static obj-4.5.6.113 obj-4.5.6.113 no-proxy-arp route-lookup
!
object network obj-192.168.99.51
nat (dmz,t1) static 1.2.3.42
object network obj-192.168.99.0
nat (dmz,cable) dynamic interface
object network obj-192.168.99.0-01
nat (dmz,t1) dynamic 1.2.3.62
object network obj-10.2.2.40
nat (inside,cable) static 6.7.8.132
object network obj-10.2.2.69
nat (inside,t1) static 1.2.3.36
object network obj-10.2.2.75
nat (inside,t1) static 1.2.3.38
object network obj-10.2.2.41
nat (inside,t1) static 1.2.3.39
object network obj-10.2.2.207
nat (inside,t1) static 1.2.3.43
object network obj_any
nat (inside,dmz) dynamic interface
object network obj_any-01
nat (inside,cable) dynamic interface
object network obj_any-02
nat (inside,t1) dynamic 1.2.3.62
object network obj-192.168.99.37
nat (dmz,cable) static 6.7.8.133
object network obj-10.2.2.91
nat (inside,dmz) static 192.168.99.91

guibarati · ‎02-23-2015

object network obj_any
nat (inside,dmz) dynamic interface

this seems to be the problem.

When the DMZ server connects to the inside, on it's way back the inside server will be NATed because of this rule.

Try creating a nat exempt for the traffic from that specific inside server to that dmz server

nat (inside,dmz) source static obj-10.2.2.91 obj-10.2.2.91 desti obj-192.168.99.36 obj-192.168.99.36

(need to create the objects first)

mdafforn · ‎02-24-2015

Thanks for the suggestion, I have put the new nat rules:

nat (inside,dmz) source static obj-10.2.2.91 obj-10.2.2.91 desti static obj-192.168.99.36 obj-192.168.99.36

and

nat (inside,dmz) source static obj-10.2.2.91 obj-10.2.2.91 desti static obj-192.168.99.37 obj-192.168.99.37

I think it worked, but the customer will have to verify tomorrow.

Thanks

Mike

guibarati · ‎02-25-2015

Alright, I hope it works.

Please rate if it works.

guibarati · ‎02-24-2015

Any luck?

mdafforn · ‎02-27-2015

That worked!

Thank you very much.