Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1257
Views
0
Helpful
9
Replies

denied due to NAT reverse path failure

benningtonr
Level 1
Level 1

‎10-10-2014 10:15 AM - edited ‎03-11-2019 09:54 PM

I have seen lots about this, but none seen to match my issue.

 

I have an asa5550 with and inside, outside and DMZ network, hanging off the Inside i have an asa 5505 with my dabase network.

I can get to me db net from the inside, and via an outside nat from the outside. But no matter what I do I cannot get to it from the dmz. The db net can access the DMZ for dns and such, but i cannot originate contact from the DMZ.

 

I am getting the following when conecting via the dmz

 

5 Oct 10 2014 13:02:29 305013 x.x.129.1 172.20.0.80 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src web_dmz:x.x.129.1 dst inside:172.20.0.80 (type 8, code 0) denied due to NAT reverse path failure

 

path would be x.x.129.0 net -> 192.168.99.0 net -> 172.20.0.0 net

                                         asa5550                  asa5505

Labels:
0 Helpful
9 Replies 9

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎10-10-2014 10:00 PM

Hi,

Would you be able to share the configuration from the ASA device ?

Also , try a packet trace from DMZ to the inside server ?

Thanks and Regards,

Vibhor Amrodia

0 Helpful

benningtonr
Level 1
Level 1
In response to Vibhor Amrodia

‎10-13-2014 04:28 AM

Here are the configs, the 99.1 is the ouside/inside/DMZ

The 98.17 is the inside/inside behind the 99.1 inside network

I am getting the error on the 99.1 asa

Preview file
11 KB
Preview file
36 KB
0 Helpful

benningtonr
Level 1
Level 1
In response to Vibhor Amrodia

‎10-13-2014 05:50 AM

 

 

Here is the packet trace:

Access-List

Type -ACCESS-LIST
Action -ALLOW
Show rule in Access Rules table.
Config
Implicit Rule
Info
MAC Access list

 

Route-Lookup

Type -ROUTE-LOOKUP
Action -ALLOW
 
Info
in 172.20.0.0 255.255.255.0 inside

 

Access-List

Type -ACCESS-LIST
Action -ALLOW
Show rule in Access Rules table.
Config
access-group web_dmz_access_in in interface web_dmz
access-list web_dmz_access_in extended permit ip object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14
object-group network DM_INLINE_NETWORK_13
network-object host x.x.129.1
network-object host x.x.130.8
object-group network DM_INLINE_NETWORK_14
network-object host 172.20.0.80
network-object host x.x.141.40

 

Ip-Options

Type -IP-OPTIONS
Action -ALLOW

 

NAT

Type -NAT
Subtype -rpf-check
Action -DROP
Show rule in NAT Rules table. 
Config

nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any web_dmz any
dynamic translation to pool 10 (x.x.128.1 [Interface PAT])
translate_hits = 1435672, untranslate_hits = 51898

 

 

100RESULT - The packet is dropped.true

 

info: (acl-drop) Flow is denied by configured rule

 

 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to benningtonr

‎10-14-2014 12:46 AM

What was the source IP you used.  Normally an RPF failure in the packet tracer would indicate that you have sourced the packet from the wrong IP.

packet-tracer input web_dmz tcp x.x.129.10 12345 172.20.0.80 80 detail

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

benningtonr
Level 1
Level 1
In response to Marius Gunnerud

‎10-14-2014 04:19 AM

Absolutely using the correct IP address, for source and dest.

 

From the inside I can ping the 172, but coming through the dmz to the inside I cannot.

inside is a 192 net, db net is a 172 net.

 

ciscoasa# packet-tracer input web_dmz tcp x.x.130.8 sqlnet 172.20.0.80 sqlnet$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x242ed5a0, priority=1, domain=permit, deny=false
        hits=19230845209, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.20.0.0      255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group web_dmz_access_in in interface web_dmz
access-list web_dmz_access_in extended permit tcp object-group EmediaVa-Servers any object-group DM_INLINE_TCP_5
access-list web_dmz_access_in remark out for Qumu
object-group network EmediaVa-Servers
 description: EmediaVa Servers
 network-object host x.x.128.94
 network-object host x.x.130.106
 network-object host x.x.130.107
 network-object host x.x.130.113
 network-object host x.x.130.115
 network-object host x.x.130.9
 network-object host x.x.130.108
 network-object host x.x.130.8
object-group service DM_INLINE_TCP_5 tcp
 port-object eq www
 port-object eq https
 port-object eq ldap
 port-object eq ldaps
 port-object eq sqlnet
 port-object eq ssh
 port-object eq 3306
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x245cd7a0, priority=12, domain=permit, deny=false
        hits=42, user_data=0x1dbac5c0, cs_id=0x0, flags=0x0, protocol=6
        src ip=64.5.130.8, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=1521, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x242efb38, priority=0, domain=inspect-ip-options, deny=true
        hits=540245079, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: INSPECT
Subtype: inspect-sqlnet
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect sqlnet
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x269e4100, priority=70, domain=inspect-sqlnet, deny=false
        hits=107, user_data=0x269e3cb8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=1521, dscp=0x0

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
  match ip inside any web_dmz any
    dynamic translation to pool 10 (x.x.128.1 [Interface PAT])
    translate_hits = 1471616, untranslate_hits = 53052
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x24593bb8, priority=1, domain=nat-reverse, deny=false
        hits=861010, user_data=0x24593948, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: web_dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Marius Gunnerud
VIP
VIP
In response to benningtonr

‎10-14-2014 04:21 AM

for the sake of elimination could you add a permit ip any any to the web_dmz_access_in ACL and test.  Just remember to remove it after you are done testing.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

benningtonr
Level 1
Level 1
In response to Marius Gunnerud

‎10-14-2014 04:26 AM

Looks like the same result

 

ciscoasa# packet-tracer input web_dmz tcp x.x.130.8 sqlnet 172.20.0.80 sqlnet$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x242ed5a0, priority=1, domain=permit, deny=false
        hits=19237240552, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.20.0.0      255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group web_dmz_access_in in interface web_dmz
access-list web_dmz_access_in extended permit ip any any
access-list web_dmz_access_in remark Eduwidgets
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x28a6e870, priority=12, domain=permit, deny=false
        hits=912, user_data=0x1db70040, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x242efb38, priority=0, domain=inspect-ip-options, deny=true
        hits=540465202, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: INSPECT
Subtype: inspect-sqlnet
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect sqlnet
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x269e4100, priority=70, domain=inspect-sqlnet, deny=false
        hits=109, user_data=0x269e3cb8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=1521, dscp=0x0

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
  match ip inside any web_dmz any
    dynamic translation to pool 10 (x.x.128.1 [Interface PAT])
    translate_hits = 1472039, untranslate_hits = 53052
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x24593bb8, priority=1, domain=nat-reverse, deny=false
        hits=861241, user_data=0x24593948, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: web_dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

benningtonr
Level 1
Level 1
In response to benningtonr

‎10-14-2014 07:49 AM

okay, it has been solved, I opened a case with cisco. This was a High Priority item for me, i needed to add a nat for the 172 net on the web-dmz. I only had a nat statment for it on the inside.

static (inside,web_dmz) 172.20.0.80 17220.0.80 etc.......

 

So all is working now, yay Cisco, thanks you for all the help

0 Helpful

Marius Gunnerud
VIP
VIP

‎10-13-2014 01:20 AM

Well, the logg error states it quite clearly.  You have two NAT statements that match the traffic and it would seem that these statements reference different interfaces.

As Vibhor has mentioned we would need to see your configuration in order to find the statement/s that are causing the issue.  Or you could try combing through your configuration yourself in order to find it.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card