07-21-2015 01:40 PM - edited 03-11-2019 11:18 PM
I have a customer that has had issue with RDP. They try to RDP from 10.10.32.20 (LAN) to 10.1.2.248 (VPN external). I pulled the following from the logs:
Jul 21 2015 12:54:08: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.1.2.248/52943 dst outside:10.190.22.160/59894 denied due to NAT reverse path failure
# sh run nat
nat (outside) 0 access-list nonat_outside_VPN
nat (outside) 1 0.0.0.0 0.0.0.0
nat (InsideCET) 0 access-list InsideCET_nat0_outbound
nat (InsideCET) 99 access-list NAT-MAIL-OUT
nat (InsideCET) 1 10.250.1.0 255.255.255.0
nat (InsideCET) 1 172.16.12.0 255.255.255.0
nat (InsideCET) 1 10.1.0.0 255.255.0.0
nat (InsideCET) 1 10.10.0.0 255.255.0.0
nat (InsideCET) 1 10.200.0.0 255.255.0.0
nat (InsideCET) 1 172.16.0.0 255.255.0.0
#sh run global
global (outside) 1 interface
global (outside) 99 69.170.x.x
Is there something missing here or is more information required for help reviewing? Do I need to post my ACL's?
Appreciate the assistance.
Jason
07-21-2015 01:56 PM
The line:
nat (InsideCET) 1 10.1.0.0 255.255.0.0
...includes the destination address (10.1.2.248). Can you tell us if the access-list "nonat_outside_VPN" has a more specific subnet defined within the 10.1.0.0/16 subnet?
A packet-tracer output would help. Try this:
packet-tracer input InsideCNET tcp 10.10.32.20 1025 10.1.2.248 389
07-21-2015 02:03 PM
Marvin,
Here is the packet tracer:
# packet-tracer input InsideCET tcp 10.10.32.20 1025 10.1.2.248 389
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.2.248 255.255.255.255 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group InsideCET_access_in in interface InsideCET
access-list InsideCET_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip InsideCET 10.0.0.0 255.0.0.0 outside 10.1.2.192 255.255.255.192
NAT exempt
translate_hits = 29843, untranslate_hits = 297575
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (InsideCET) 1 10.10.0.0 255.255.0.0
match ip InsideCET 10.10.0.0 255.255.0.0 outside any
dynamic translation to pool 1 (64.x.x.x [Interface PAT])
translate_hits = 7666989, untranslate_hits = 590795
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (InsideCET) 1 10.10.0.0 255.255.0.0
match ip InsideCET 10.10.0.0 255.255.0.0 outside any
dynamic translation to pool 1 (64.x.x.x [Interface PAT])
translate_hits = 7666990, untranslate_hits = 590795
Additional Information:
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: HQF
Subtype: hierarchical-queueing
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (outside) 1 0.0.0.0 0.0.0.0
match ip outside any outside any
dynamic translation to pool 1 (64.x.x.x [Interface PAT])
translate_hits = 297872, untranslate_hits = 1
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 33102180, packet dispatched to next module
Result:
input-interface: InsideCET
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Here is NONAT info:
access-list nonat_outside_VPN extended permit ip 10.254.254.0 255.255.255.0 10.1.2.192 255.255.255.192
access-list nonat_outside_VPN extended permit ip 10.1.2.192 255.255.255.192 10.254.254.0 255.255.255.0
access-list nonat_outside_VPN extended permit ip 10.1.2.192 255.255.255.192 10.1.2.192 255.255.255.192
access-list nonat_outside_VPN extended permit ip 10.254.254.0 255.255.255.0 10.254.254.0 255.255.255.0
Thank you for your help.
07-22-2015 05:58 AM
Sorry - I was focusing on your config, not the syslog message.
The error message indicates:
Connection for udp src outside:10.1.2.248/52943 dst outside:10.190.22.160/59894 denied due to NAT reverse path failure
That indicates a failing source IP address is outside, not inside on the LAN. The flow from VPN to LAN should work per the packet-tracer above.
07-22-2015 07:46 AM
Are there other things to look at on the ASA that may impact RDP from the 10.10.32.20 to the VPN client?
Jason
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide