Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2372
Views
0
Helpful
6
Replies

Cisco ASA 5510 - denied due to NAT reverse path failure.

ketansoni1
Level 1
Level 1

‎04-12-2017 02:53 AM - edited ‎03-12-2019 02:12 AM

Hi All,
Would you be able to shed some light on the below error message?  If you could look at the screenshot attached, it will show you the current setup. I have set this up using the ASDM, the packet is being denied when going from: 
Outside R1 to DMZ 192.168.*.* using TCP port 443 / 80

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse 
flows; Connection protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dst_address/dst_port [(idfw_user)] denied due to 
NAT reverse path failure.
An attempt to connect to a mapped host using its actual address was rejected.

The recommend action states:
When not on the same interface as the host using NAT, use the mapped address instead of the actual address to connect to the host. In addition, enable the inspect command if the application embeds the IP address.

Thanks

Labels:
Preview file
55 KB
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-12-2017 03:43 AM

From what I can see on the screen shot, your NAT rule is referncing "any,outside" while the server resides in the DMZ.

The NAT rule would normally created referencing  "dmz,outside".

0 Helpful

ketansoni1
Level 1
Level 1
In response to Marvin Rhoads

‎04-12-2017 06:36 AM

Thank you for the quick reply, unfortunately this did not work.

I have changed the server from being in the DMZ to Inside to no joy, whilst leaving the NAT rules as they were.

Also changed the NAT rules to dmz public to outside - with no joy, please see attached png

Preview file
53 KB
Preview file
52 KB
0 Helpful

Kornelia Gutierrez
Level 1
Level 1
In response to ketansoni1

‎04-12-2017 06:10 PM

Hi,

Could you please share a show run access-list of the acl that is placed in the outside and a show run nat? 

Best regards,

0 Helpful

ketansoni1
Level 1
Level 1
In response to Kornelia Gutierrez

‎04-13-2017 01:02 AM

access-list Inside-Access-In extended permit ip object WAPAY01_Payrol_Server any log

access-list Outside-R1-In extended permit object-group DM_INLINE_SERVICE_6 any object WAPAY01_Payrol_Server log

access-list DMZ-Public-In extended permit object-group DM_INLINE_SERVICE_3 object WAPAY01_Payrol_Server any log inactive  (this is not in use)


NAT
object network WAPAY01_Payrol_Server
nat (Inside,Outside-R1) static 82.*.*.*  ( I have taken out the public IP address)

Hope this helps, also please see screenshot 

Preview file
41 KB
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ketansoni1

‎04-14-2017 12:32 AM

Is your WAPAY01 server on the inside or DMZ subnet? You mention both at various points. Is it multi-homed?

0 Helpful

ketansoni1
Level 1
Level 1
In response to Marvin Rhoads

‎04-18-2017 12:54 AM

It is only on the inside interface. No longer sitting within the DMZ subnet

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card