Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5160
Views
20
Helpful
13
Replies

Asymmetric NAT rules matched for forward and reverse flows error in ASA 5516

Go to solution
MrBeginner
Spotlight
Spotlight

‎10-14-2020 08:27 AM

Hi ,
I would like to ask about reverse flows error. I saw the same issue in forum and try to fix. But May be i don't know how to add NAT Exemption rule or my exemption rule is doesn't work.vSo please help me to fix.

My network information :

inside-net=20.1.1.0/24
outside-net=10.1.1.0/24

I use below command for internet access.

nat (inside,outside) dynamic interface

 

My web server need to access to internal server. So i use NAT exemption rule like below.

nat (inside,outside) source static inside-net outside-net destination static outside-net outside-net no-proxy-arp

 

But my web servers cannot access to internal server. I always got 

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:xxx.xxx.xxx dst inside:xxx.xxx.xxx.xxx (type 8, code 0) denied due to NAT reverse path failure

Please help me how to fix or my rule is wrong ?

Preview file
36 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to MrBeginner

‎10-14-2020 11:18 AM

If you have that NAT exemption rule in place then it should work, unless you have another NAT rule above that is unintentially natting the traffic. Run packet-tracer from the CLI and provide the output for review.

 

View solution in original post

Go to solution
Aref Alsouqi
VIP
VIP
In response to MrBeginner

‎10-14-2020 01:45 PM

You welcome. The nat (inside,outside) after-auto rule is basically a PAT rule to translate anything that did not match on the top rules to the outside interface of the firewall. Manual NAT rules which are the ones we create with the source static and destination in this case are placed on the top, in so called section 1. Section 1 is checked before section 3 where the after-auto rule is placed.

With this in mind, you can create any additional rules to match the interested traffic you want, and keep the after-auto for the internet traffic.

If you want to make some services available from the outside world, whether from the internet or the outside segment, my recommendation would be to translate the internal server IP or even port to a dedicated public IP. This public IP would be within the same range as the outside segment. For example, say you want to allow external world to access the app-net server, you would do something similar to this:

object network APP-NET
 host 20.1.1.x
 nat (inside,outside) static 10.1.1.5 dns

This rule basically allow any traffic destined to the public IP 10.1.1.5 to be translated to the internal IP 20.1.1.x. Obviously you still need to allow this traffic on the outside ACL on the firewall.

Now if you want to be more specific and create a rule to NAT a single port on the app-net server, you would do something similar to this:

object network APP-NET
 host 20.1.1.x
 nat (inside,outside) static 10.1.1.5 service tcp https https

Finally, the mapped port and the real port do not necessarily have to be the same, for example, you can receive the traffic on port 5000 and translate it back to port 443. The important thing in this case is to use the real port on the NAT rule to match the actual port on which the service running on the server is listening on, here is an example:

object network APP-NET
 host 20.1.1.x
 nat (inside,outside) static 10.1.1.5 service tcp https 5000

 

View solution in original post

0 Helpful
13 Replies 13

Go to solution
Rob Ingram
VIP
VIP

‎10-14-2020 08:38 AM

Hi @MrBeginner 

You need to ensure your NAT exemption rule is above the existing NAT rule used for internet access. Add the keyword "after-auto" to ensure this rule is moved to the end of the NAT rules.

 

E.g.

 

no nat (INSIDE,OUTSIDE) source dynamic interface

nat (INSIDE,OUTSIDE) after-auto source dynamic interface

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Rob Ingram

‎10-14-2020 09:48 AM

hi Rob Ingram,
I cannot type your command. I got incomplete error .

nat (INSIDE,OUTSIDE) after-auto source dynamic interface 

 

If i didn't add nat (inside,outside) dynamic interface command,i cannot access internet. So may be my nat exemption rule is doen't work.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎10-14-2020 09:53 AM

Sorry, try this:-

nat (INSIDE,OUTSIDE) after-auto source dynamic any interface 

 

Make sure you remove your other NAT rule as this new rule replaces it.

0 Helpful

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Rob Ingram

‎10-14-2020 10:14 AM

Hi @Rob Ingram ,

nat (INSIDE,OUTSIDE) after-auto source dynamic any interface  command is ok for internet access. But i cannot access to webserver to internal server. 

Let me know can we do exception to do NAT for return traffic of webserver  ?

I mean i don't want to NAT for outside-net only and others will do NAT . Can it be ? Because is the incoming traffic is normal traffic ( no NAT) and return traffic is NAT  ?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎10-14-2020 10:17 AM

So you don't already have a NAT Exemption rule defined? You'd need something like this:-

 

object network INSIDE-NET
 subnet 20.1.1.0 255.255.255.0
object network OUTSIDE-NET
 subnet 10.1.1.0 255.255.255.0
!
nat (INSIDE,OUTSIDE) source static INSIDE-NET INSIDE-NET destination static OUTSIDE-NET OUTSIDE-NET no-proxy-arp

 

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Rob Ingram

‎10-14-2020 10:28 AM

Hi @Rob Ingram ,

nat (inside,outside) source static inside-net outside-net destination static outside-net outside-net
!
nat (inside,outside) after-auto source dynamic any interface

 

i already try with no-proxy-arp and witout no-proxy-arp.All result are same. there is any other other way to do internet access is NAt and incoming is no NAT ?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to MrBeginner

‎10-14-2020 11:18 AM

If you have that NAT exemption rule in place then it should work, unless you have another NAT rule above that is unintentially natting the traffic. Run packet-tracer from the CLI and provide the output for review.

 

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Rob Ingram

‎10-14-2020 11:35 AM

Hi @Rob Ingram and @Aref Alsouqi ,

Thank you for your help.Now ok. My fault. i try to ping from other network which have routing table to internal server .So cannot ping. Now i ping from web server to internal server.

But i also need to try to another application net ( 30.1.1.0/24) . i also want to do NAT form outside to app-net.Now outside to inside,inside to internet by using dynamic interface and nat exception NAT.

nat (inside,outside) source static inside-net outside-net destination static outside-net outside-net
!
nat (inside,outside) after-auto source dynamic any interface

I aslo want to add extra NAT form ouside-net to app-net .What kind of NAT should i use ?

for nat i have only one WAN IP in ASA outside interface. I don't have spare IP.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to MrBeginner

‎10-14-2020 01:45 PM

You welcome. The nat (inside,outside) after-auto rule is basically a PAT rule to translate anything that did not match on the top rules to the outside interface of the firewall. Manual NAT rules which are the ones we create with the source static and destination in this case are placed on the top, in so called section 1. Section 1 is checked before section 3 where the after-auto rule is placed.

With this in mind, you can create any additional rules to match the interested traffic you want, and keep the after-auto for the internet traffic.

If you want to make some services available from the outside world, whether from the internet or the outside segment, my recommendation would be to translate the internal server IP or even port to a dedicated public IP. This public IP would be within the same range as the outside segment. For example, say you want to allow external world to access the app-net server, you would do something similar to this:

object network APP-NET
 host 20.1.1.x
 nat (inside,outside) static 10.1.1.5 dns

This rule basically allow any traffic destined to the public IP 10.1.1.5 to be translated to the internal IP 20.1.1.x. Obviously you still need to allow this traffic on the outside ACL on the firewall.

Now if you want to be more specific and create a rule to NAT a single port on the app-net server, you would do something similar to this:

object network APP-NET
 host 20.1.1.x
 nat (inside,outside) static 10.1.1.5 service tcp https https

Finally, the mapped port and the real port do not necessarily have to be the same, for example, you can receive the traffic on port 5000 and translate it back to port 443. The important thing in this case is to use the real port on the NAT rule to match the actual port on which the service running on the server is listening on, here is an example:

object network APP-NET
 host 20.1.1.x
 nat (inside,outside) static 10.1.1.5 service tcp https 5000

 

0 Helpful

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Aref Alsouqi

‎10-14-2020 06:08 PM

Hi,

I use app is different interface(appnet)

So it should be like below? If i us ip address is it will say ip overlap. 

 

object network APP-NET
 host 20.1.1.x
 nat (inside,outside) static interface service tcp https 5000

 

 

Second thing is if my webserver want to use the internet by using asa wan as his gateway,is it possible? 

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to MrBeginner

‎10-20-2020 04:47 AM - edited ‎10-20-2020 04:48 AM

That static PAT rule will translate the traffic destined to the public IP of the outside interface, on port 5000/tc, and then will translate it to the private IP 20.1.1.x on port 443/tcp. Any other traffic will go through the NAT rules check below the port 5000 rule as it will not match it, if there is a match it will be applied. Similar for the webserver, if there is a matched NAT rule, it will be applied, otherwise the check will carry on. However, if you create a 1:1 NAT rule, and there is nothing on top that matched the traffic, that will apply translation to the inbound or outbound traffic.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎10-14-2020 10:33 AM - edited ‎10-14-2020 10:36 AM

If you want to allow the traffic between Server1 and WebServer un-NAT'ed, then as Rob proposed, a manual NAT rule to exempt the traffic between them should be added. I would be more specific and define the two individual hosts rather than exempting NAT for the whole traffic between the inside and the outside:

object network Server1
 host 20.1.1.2
object network WebServer
 host 10.1.1.3

 nat (inside,outside) source static Server1 Server1 destination static WebServer WebServer

If you want to dedicate a "public" IP to Server1 and use that to access it by WebServer, then you can do something similar to this:

object network Server1
 host 20.1.1.2
 nat (inside,outside) static 10.1.1.4 dns

Remember you need to allow this traffic on the ACL applied to the outside interface since it would have lower security level than the inside.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎10-14-2020 10:42 AM - edited ‎10-14-2020 11:22 AM

If you want to exempt NAT only between the two servers try this:

object network Server1
 host 20.1.1.2
object network WebServer
 host 10.1.1.3

nat (inside,outside) source static Server1 Server1 destination static WebServer WebServer

Another option would be to dedicate a public IP to Server1 and access it from outside via that IP:

object network Server1
 host 20.1.1.2
 nat (inside,outside) static 10.1.1.4 dns

Remember to allow the inbound traffic towards Server1 on the outside interface.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card