02-05-2014 02:52 PM - edited 03-11-2019 08:41 PM
Hi Everyone,
I am seeing log messages in ASA
50443 | Feb 01 2014 23:16:58: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src X 10.31.x.x /28122 dst Y:172.16.0..0/514 denied due to NAT reverse path failure |
Do i need to use no nat for traffic between interfaces X and Y.
Current NAT is
sh run nat
nat (Y) 0 0.0.0.0 0.0.0.0
sh run static
static (Y,Z) 172.24.30.16 172.24.30.16 netmask 255.255.255.255
static Y,Z) 172.24.30.16 172.24.30.16 netmask 255.255.255.255
Regards
MAhesh
Solved! Go to Solution.
02-05-2014 11:23 PM
Hi Mahesh,
I think you need to clarify the situation as I am not sure what the situation is as you have edited the output yourself.
You mention the connection is coming from behind X.
You mention NAT configuration that has nothing to do with interface X. I guess it might be that you have no configurations for that interface then.
You would probably either need NAT0 configuration for the network behind interface X to be able to connect to destination networks behind Y
Or you might have to configure Static Identity NAT for the destination network
But I would really need to know the exact source and destination networks/hosts to know what kind of NAT configuration you need.
In general your error message tells us that the traffic matches different NAT rules depending on the direction of the traffic. Or traffic might not match any NAT rule in the initial direction and then match something in the reverse direction.
- Jouni
02-06-2014 05:16 AM
Hi,
Can you post the output of the following "packet-tracer" command
packet-tracer input X udp
Use for example the IP addresses in the log message that you originally posted.
Would they have been the following you mention above?
packet-tracer input X udp 10.31.102.17 12345 172.16.0.21 514
- Jouni
02-06-2014 07:27 AM
Hi,
I wonder if the command given was correct as I would imagine the first log message doesnt refer to this situation.
Typically you would see this situation on a Multiple Context setup of ASA when you have an interface that is attached to more than 1 Security Context. This means its a shared interface.
You would probably also have this configuration on the System Context
no mac-address auto
Which means that each context that has this shared interface has an identical MAC address.
Therefore the ASA Security Context to which this connection should go to would have to have a NAT configuration for the destination IP address of the connection so it could classify the packet to the right Security Context.
But as I said I am not sure if the first log message relates to the output.
Could you share
- Jouni
02-05-2014 11:23 PM
Hi Mahesh,
I think you need to clarify the situation as I am not sure what the situation is as you have edited the output yourself.
You mention the connection is coming from behind X.
You mention NAT configuration that has nothing to do with interface X. I guess it might be that you have no configurations for that interface then.
You would probably either need NAT0 configuration for the network behind interface X to be able to connect to destination networks behind Y
Or you might have to configure Static Identity NAT for the destination network
But I would really need to know the exact source and destination networks/hosts to know what kind of NAT configuration you need.
In general your error message tells us that the traffic matches different NAT rules depending on the direction of the traffic. Or traffic might not match any NAT rule in the initial direction and then match something in the reverse direction.
- Jouni
02-06-2014 05:07 AM
Hi Jouni,
Yes source is interface X
DEstination is interface Y.
Earlier i posted the current config from the ASA which involves NAT.
X IP 10.31.102.17/28
Y 172.16.0.21
It is good if i use no nat.
Regards
MAhesh
02-06-2014 05:16 AM
Hi,
Can you post the output of the following "packet-tracer" command
packet-tracer input X udp
Use for example the IP addresses in the log message that you originally posted.
Would they have been the following you mention above?
packet-tracer input X udp 10.31.102.17 12345 172.16.0.21 514
- Jouni
02-06-2014 06:58 AM
Hi Jouni,
I tried above command
Result:
input-interface: External
input-status: up
input-line-status: up
Action: drop
Drop-reason: (ifc-classify) Virtual firewall classification failed
This ASA is in Active/Active multicontext mode.
Regards
MAhesh
02-06-2014 07:27 AM
Hi,
I wonder if the command given was correct as I would imagine the first log message doesnt refer to this situation.
Typically you would see this situation on a Multiple Context setup of ASA when you have an interface that is attached to more than 1 Security Context. This means its a shared interface.
You would probably also have this configuration on the System Context
no mac-address auto
Which means that each context that has this shared interface has an identical MAC address.
Therefore the ASA Security Context to which this connection should go to would have to have a NAT configuration for the destination IP address of the connection so it could classify the packet to the right Security Context.
But as I said I am not sure if the first log message relates to the output.
Could you share
- Jouni
02-07-2014 11:28 AM
Hi Jouni,
We added nat exemption ACL now all is good.
Best regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide