02-08-2012 05:08 AM - edited 03-11-2019 03:25 PM
Hello All,
I have a source dynamic NAT rule in place to translate all traffic from INSIDE (sec-lvl 100) to PRIVATE DMZ (sec-lvl 80) with translation to a specific new source IP (not the IF IP):
nat (fw-inside,fw-prv) source dynamic GRP_NAT_INSIDELAN NAT-LAN-NEW-IP1 destination static NET_PRV_DMZ NET_PRV_DMZ description [#R-TRx]
object network NAT-LAN-NEW-IP1
host XX.XX.XX.XX
But all connnection attempts from PRIVATE DMZ to INSIDE are now BLOCKED with message:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src fw-prv:192.168.95.100/4459 dst fw-inside:172.28.100.55/1433 denied due to NAT reverse path failure
My requirement is:
Dyn. PAT/NAT from INSIDE to PRV_DMZ, but NO NAT for sessions from PRV_DMZ to INSIDE. It is easy and straightforward to configure this on a Checkpoint FW-1 system, because the CP FW-1 is not checking the reverse path for NAT. How to achieve the same on a Cisco ASA5585-SSP10 with Ver. 8.4(2)8 installed.
Kind Regards,
HMiku
02-08-2012 08:15 AM
Seems like there is another NAT in between that is causing this error message. It would be nice if we could have the configuration but Im going to tell you what we look normally on this cases.
Existing NAT rules that could be created on the DMZ interface. Existing NAT rules that can be on the Inside. I am almost sure that there is another NAT that could be breaking things, meaning the packet does not get translated on the DMZ, but when it answers back to the inside, it hits a nat rule.
Check for rules that may have any any. You can easily check this by doing a packet tracer and see which NAT rules would it hit.
packet-tracer input inside tcp
Where x is the IP address of the inside host and y is the address of the DMZ host.
Let me know how the test go.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide