Solved: Re: Asymmetric NAT rules matched for forward and reverse flows

fasteddye · ‎10-22-2010

We are trying to send netflow from our internet router (64.xx.xx.1) to an inside netflow collector (10.10.xx.81).

The following are flow export config and static ip route on internet router.

ip flow-export source GigabitEthernet0/1
ip flow-export version 9 peer-as
ip flow-export destination 10.10.xx.81 2055

ip route 10.10.xx.81 255.255.255.255 64.xx.xx.2 (64.xx.xx.2 is outside interface of ASA5520)

The following is ACL on ASA5520 which I see hits on.

access-list OUTSIDE extended permit udp host 64.xx.xx.1 host 10.10.xx.81 eq 2055

I now see the following log messages on ASA5520

5 Oct 22 2010 08:44:50 10.10.xx.81 2055 Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:64.xx.xx.1/50847 dst inside:10.10.xx.81/2055 denied due to NAT reverse path failure

apothula · ‎10-23-2010

Yes, you should use IP instead of UDP in the ACL you pasted.

View solution in original post

Dan-Ciprian Cicioiu · ‎10-22-2010

Hi ,

try disabling the nat on ASA for the flows between the router and the host :

nat (inside) 0 access-list NONAT
access-list NONAT permit ip host 10.10.2.81 host 64.xx.xx.1

Dan

fasteddye · ‎10-22-2010

What would adding the following do?

access-list inside_nat0_outbound extended permit ip any 10.10.2.81 255.255.255.255

I added that and the log messages stopped happening and then I removed it and now I don’t see hits on the ACL anymore.

Dan-Ciprian Cicioiu · ‎10-22-2010

Can you paste a show run nat

fasteddye · ‎10-22-2010

For whatever reason after adding and then removing the following, I no longer see hits on ACL and nothing in log messages for 10.xx.xx.81 (collector IP).

access-list inside_nat0_outbound extended permit ip any 10.10.2.81 255.255.255.255

I changed interface names on the show nat below, hope that doesn’t confuse.

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

nat (ABC123) 168 192.168.0.0 255.255.0.0 outside

nat (DEF456) 0 access-list DEF456_nat0_dmzbound

nat (DEF456) 231 10.231.0.0 255.255.0.0

nat (DMZ) 0 access-list DMZ_nat0_outbound

nat (GHI789) 0 access-list GHI789_nat0_outbound

nat (JKL012) 0 access-list JKL012_nat0_outbound

Dan-Ciprian Cicioiu · ‎10-22-2010

You should configure

access-list inside_nat0_outbound extended permit udp host 10.10.2.81 host 64.x.x.1

Then check if the flows are received on the collector.

Dan

fasteddye · ‎10-22-2010

I added the suggested nat exempt and the collector is receiving flow.

I however do not see hits on the ACL on ASA5520. Is that normal?

Panos Kampanakis · ‎10-22-2010

Yeah, if you have a UDP flow up and passing traffic you will not see ACL incrementing, you would need to stop the flow and then you would see 1 increment while the flow was up. So, only the first udp netflow packet hits the ACL and then it goes through using the existing flow (no ACL hit).

I hope it makes sense.

PK

fasteddye · ‎10-22-2010

After adding that NAT exempt my view NAT view in ASDM looks different.

I used to see NAT exempts lumped together but things look different.

fasteddye · ‎10-22-2010

After adding the following command all the NAT exempt on inside interface were gone/not working. They would show up in cli but not in asdm. I had not saved changes so rebooting firewall brought things back to normal. Now I am a little nervous about adding the command again.

Could having it be protocol udp vs ip make a difference? All the other NAT exempt on inside interface are protocol ip.

access-list inside_nat0_outbound extended permit udp host 10.10.2.81 host 64.xx.xx.1

Should I try adding again or add it with protocol ip?

Thanks.

fasteddye · ‎10-22-2010

I am looking to see if I am comprehending correctly. I have read that only the ip protocol is allowed in a NAT excempt access-list. NAT excemption is evaluated on source and destination and not on IP protocols or port numbers.

Does that mean this config should use ip instead of udp?

access-list inside_nat0_outbound extended permit udphost 10.10.2.81 host 64.xx.xx.1

Thanks for clarification.

apothula · ‎10-23-2010

Yes, you should use IP instead of UDP in the ACL you pasted.

apothula · ‎10-23-2010

1 more thing, you won't see hit counts on this ACL.

For ex,

nat (inside) 0 access-list nat-exempt

access-list nat-exempt permit ip host x.x.x.x host y.y.y.y (hit count=0)