Solved: Asymmetric NAT rules matched for forward and reverse flows....

noobie198 · ‎05-07-2013

I am new to ASA's and have just configured my 5505 out the box with an outside (10.10.1.7) + inside (192.168.1.1) IP & NAT. The ASA has got a default route to another router (default geteway) thats connected to the internet. I have it connected this way so I can play and dink around with the ASA. My problem is when I try and ping a host on the ASA inside network (192.168.1.0/24) from the outside (10.10.1.0/24) I'm getting the following error:

5

May 07 2013

16:38:36

305013

192.168.1.6

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.10.1.22 dst inside:192.168.1.6 (type 8, code 0) denied due to NAT reverse path failure

The recommendation from the syslog details is:

"When not on the same interface as the host using NAT, use the mapped address instead of the actual address to connect to the host. In addition, enable the inspect command if the application embeds the IP address".

Not sure what exactly that means. Anyone assist with a solution? Beliw is my config:

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.1.7 255.255.255.0
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.10.1.1
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_net_Inside
subnet 192.168.1.0 255.255.255.0
object network Outside_global
host 10.10.1.6
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.1.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 9c997947
    308201cf 30820138 a0030201 0202049c 99794730 0d06092a 864886f7 0d010105
    0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
     quit
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.10.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
management-access inside

dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 10.10.1.1 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 64.250.177.145 source outside prefer
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:13b794153d2dc774682fd432ef51bd

Jouni Forss · ‎05-07-2013

Oh, actually just noticed

Can you remove this NAT configuration, the Default PAT

no nat (inside,outside) source dynamic any interface

And configure it in the following way

object-group network LAN

network-object 192.168.1.0 255.255.255.0

nat (inside,outside) after-auto source dynamic LAN interface

After this do "clear xlate" which clear all active NAT translations on the firewall

Then try the ICMP again

- Jouni

View solution in original post

Jouni Forss · ‎05-07-2013

Hi,

You currently have Dynamic PAT from "inside" to "outside"

This is the only NAT configuration currently.

Because the Dynamic PAT "hides" all IP address on the "inside" to the PAT IP address when accessing network "outside" means that "outside" networks cant see the "inside" network directly.

To enable this on the ASA you can for example configure this NAT

object network LAN

subnet 192.168.1.0 255.255.255.0

object network WAN

subnet 10.10.1.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static WAN WAN

The above configuration will tell the ASA that when traffic is going from the network LAN to network WAN then DO NOT NAT the traffic/connections. The reason why it doesnt NAT the traffic is that we have configured both the real IP address and mapped IP address with the same object (LAN and LAN and WAN and WAN)

In addition to this the hosts AND the router on the "outside" HAVE to have a route towards the network 192.168.1.0/24 pointing towards the ASA "outside" interface IP address 10.10.1.17

After this it should work

Hope this helps

Please remember to mark the reply as the correct answer if it was. And/or Rate helpfull answers

Naturally ask more if needed or if the above configurations didnt help

- Jouni

noobie198 · ‎05-07-2013

Jouni,

Thank you for your reply. Did as you suggested above. Didnt quit fix the issue. This is the error I'm now getting:

6

May 07 2013

17:14:16

110003

10.10.1.22

1

192.168.1.6

0

Routing failed to locate next hop for ICMP from outside:10.10.1.22/1 to inside:192.168.1.6/0

My routing table below:

sh asp table routing

in 255.255.255.255 255.255.255.255 identity

in 127.0.0.1 255.255.255.255 identity

in 192.168.1.1 255.255.255.255 identity

in 10.10.1.7 255.255.255.255 identity

in 10.10.1.0 255.255.255.0 outside

in 0.0.0.0 0.0.0.0 outside

out 255.255.255.255 255.255.255.255 outside

out 10.10.1.0 255.255.255.0 outside

out 224.0.0.0 240.0.0.0 outside

out 0.0.0.0 0.0.0.0 via 10.10.1.1, outside

out 255.255.255.255 255.255.255.255 inside

out 224.0.0.0 240.0.0.0 inside

out 255.255.255.255 255.255.255.255 _internal_loopback

out 224.0.0.0 240.0.0.0 _internal_loopback

out 0.0.0.0 0.0.0.0 via 0.0.0.0, identity

out :: :: via 0.0.0.0, identity

noobie198 · ‎05-07-2013

Jouni,

That was a false error message. The host was in sleep mode. This is the actual message from syslog. I am not getting any ping replys from 10.10.1.0/24 to 192.168.1.0/24.

See below

Jouni Forss · ‎05-07-2013

Hi,

Add these

fixup protocol icmp

fixup protocol icmp error

These will convert to the following configurations on the ASA

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

Either way of entering them is fine

- Jouni

noobie198 · ‎05-07-2013

Still no icmp replys. What do the fixup commands do?

I only see inspect icmp.

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

Jouni Forss · ‎05-07-2013

They automatically allow the ICMP Echo Reply messages and Time Exceeded messages through the firewall without ACL.

Though the initial ICMP message needs to be allowed by ACL but the return messages are handled by the inspection.

Does the internal host reply from the connected network even?

Is there some firewall blocking the ICMP from on the host from networks that are not directly connect to it?

Can you test connectivity with some TCP service?

I have had some problems with some Windows computers every now and then that even if I allow the ICMP it just simply doesnt work.

- Jouni

Jouni Forss · ‎05-07-2013

Oh, actually just noticed

Can you remove this NAT configuration, the Default PAT

no nat (inside,outside) source dynamic any interface

And configure it in the following way

object-group network LAN

network-object 192.168.1.0 255.255.255.0

nat (inside,outside) after-auto source dynamic LAN interface

After this do "clear xlate" which clear all active NAT translations on the firewall

Then try the ICMP again

- Jouni

noobie198 · ‎05-07-2013

You were right! The internal host is a Win 8 pc. Disabling the firewall on the public network setting did the trick.