Solved: Basic ASA question

mrskater99 · ‎01-18-2013

Hi all,

I've got what is probably a very basic question - but i can't figure it out.

I have:

Internet (ADSL) -> 2851 (ADSL wic) -> 5520 -> internal LAN (192.168.1.x/24)

The asa has just replaced a Checkpoint firewall.

I've set up the ASA to the point where all hosts on the internal LAN have internet access (using a dynamic PAT on that network). This all works well.

The problem i have is i am trying to allow access from the internet to an internal host on a specifc TCP port (as i had done on the Checkpoint) but i'm getting:

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:111.111.111.11/52135 dst inside:192.168.1.252/5555 denied due to NAT reverse path failure

From what i have read i need to add a NAT exemption for this particular use case - to avoid the dynamic NAT i have setup, but im not sure how to do so.

I'm running 9.1 on the ASA, no VPNs yet. Just this basic setup.

Could someone help me out?

Cheers,

Scotty

Jennifer Halim · ‎01-19-2013

ahhh, yes, you would need nat exemption on the ASA and also the router should have route for 192.168.1.252 pointing towards the ASA outside interface IP.

The NAT exemption will be as follows:

object network obj-192.168.1.252

host 192.168.1.252

nat (inside,outside) source static obj-192.168.1.252 obj-192.168.1.252

Then "clear xlate"

Hope that helps.

View solution in original post

Jennifer Halim · ‎01-18-2013

Have you "clear xlate" after the changes or addition to the new static rule that you have configured?

Also, can you share what you have configured for both the dynamic and the static NAT.

Thanks.

mrskater99 · ‎01-19-2013

Hi Jennifer,

The ASA only contains the single dynamic NAT:

nat (inside,outside) dynamic interface

The static NAT is on the 2851 in front of the ASA (on the outside interface):

ip nat inside source static tcp 192.168.1.252 5555 interface Dialer1 5555

I'm not sure what the NATexemption on the ASA should look like to make this work.

Cheers,

Scotty

Jennifer Halim · ‎01-19-2013

ahhh, yes, you would need nat exemption on the ASA and also the router should have route for 192.168.1.252 pointing towards the ASA outside interface IP.

The NAT exemption will be as follows:

object network obj-192.168.1.252

host 192.168.1.252

nat (inside,outside) source static obj-192.168.1.252 obj-192.168.1.252

Then "clear xlate"

Hope that helps.

mrskater99 · ‎01-19-2013

Thanks so much! Works perfectly!

Jennifer Halim · ‎01-19-2013

Excellent, thanks for the update.

mrskater99 · ‎01-19-2013

Sorry Jennifer - that allows connections into 192.168.1.252 from the internet - but .252 has now lost access to the internet (ie the dynamic NAT for the internal Network).

Is there a way to achieve both?

mrskater99 · ‎01-19-2013

Ok so i got this working by doing the following to narrow down the NAT exemption to only be the traffic on 5555:

nat (inside,outside) source static xbmc-lounge xbmc-lounge service xxx-custom-out xxx-custom-out

where xxx-custom-out is src 5555 dest any

Is this the correct way of doing this though???

Jennifer Halim · ‎01-19-2013

Yes, that is the correct way to do it. Spot on..