denied due to NAT reverse path failure
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2014 10:15 AM - edited 03-11-2019 09:54 PM
I have seen lots about this, but none seen to match my issue.
I have an asa5550 with and inside, outside and DMZ network, hanging off the Inside i have an asa 5505 with my dabase network.
I can get to me db net from the inside, and via an outside nat from the outside. But no matter what I do I cannot get to it from the dmz. The db net can access the DMZ for dns and such, but i cannot originate contact from the DMZ.
I am getting the following when conecting via the dmz
5 Oct 10 2014 13:02:29 305013 x.x.129.1 172.20.0.80 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src web_dmz:x.x.129.1 dst inside:172.20.0.80 (type 8, code 0) denied due to NAT reverse path failure
path would be x.x.129.0 net -> 192.168.99.0 net -> 172.20.0.0 net
asa5550 asa5505
- Labels:
-
NGFW Firewalls

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-10-2014 10:00 PM
Hi,
Would you be able to share the configuration from the ASA device ?
Also , try a packet trace from DMZ to the inside server ?
Thanks and Regards,
Vibhor Amrodia
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2014 04:28 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2014 05:50 AM
Here is the packet trace:
Access-List
|
|
|
|
|
Route-Lookup
|
|
|
Access-List
|
|
|
|
Ip-Options
|
|
NAT
|
|
|
|
|
100 | RESULT - The packet is dropped. | true |
info: (acl-drop) Flow is denied by configured rule
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2014 12:46 AM
What was the source IP you used. Normally an RPF failure in the packet tracer would indicate that you have sourced the packet from the wrong IP.
packet-tracer input web_dmz tcp x.x.129.10 12345 172.20.0.80 80 detail
--
Please remember to select a correct answer and rate helpful posts
Please remember to select a correct answer and rate helpful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2014 04:19 AM
Absolutely using the correct IP address, for source and dest.
From the inside I can ping the 172, but coming through the dmz to the inside I cannot.
inside is a 192 net, db net is a 172 net.
ciscoasa# packet-tracer input web_dmz tcp x.x.130.8 sqlnet 172.20.0.80 sqlnet$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x242ed5a0, priority=1, domain=permit, deny=false
hits=19230845209, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.20.0.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group web_dmz_access_in in interface web_dmz
access-list web_dmz_access_in extended permit tcp object-group EmediaVa-Servers any object-group DM_INLINE_TCP_5
access-list web_dmz_access_in remark out for Qumu
object-group network EmediaVa-Servers
description: EmediaVa Servers
network-object host x.x.128.94
network-object host x.x.130.106
network-object host x.x.130.107
network-object host x.x.130.113
network-object host x.x.130.115
network-object host x.x.130.9
network-object host x.x.130.108
network-object host x.x.130.8
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
port-object eq ldap
port-object eq ldaps
port-object eq sqlnet
port-object eq ssh
port-object eq 3306
Additional Information:
Forward Flow based lookup yields rule:
in id=0x245cd7a0, priority=12, domain=permit, deny=false
hits=42, user_data=0x1dbac5c0, cs_id=0x0, flags=0x0, protocol=6
src ip=64.5.130.8, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=1521, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x242efb38, priority=0, domain=inspect-ip-options, deny=true
hits=540245079, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: INSPECT
Subtype: inspect-sqlnet
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect sqlnet
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x269e4100, priority=70, domain=inspect-sqlnet, deny=false
hits=107, user_data=0x269e3cb8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=1521, dscp=0x0
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any web_dmz any
dynamic translation to pool 10 (x.x.128.1 [Interface PAT])
translate_hits = 1471616, untranslate_hits = 53052
Additional Information:
Forward Flow based lookup yields rule:
out id=0x24593bb8, priority=1, domain=nat-reverse, deny=false
hits=861010, user_data=0x24593948, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: web_dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2014 04:21 AM
for the sake of elimination could you add a permit ip any any to the web_dmz_access_in ACL and test. Just remember to remove it after you are done testing.
--
Please remember to select a correct answer and rate helpful posts
Please remember to select a correct answer and rate helpful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2014 04:26 AM
Looks like the same result
ciscoasa# packet-tracer input web_dmz tcp x.x.130.8 sqlnet 172.20.0.80 sqlnet$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x242ed5a0, priority=1, domain=permit, deny=false
hits=19237240552, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.20.0.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group web_dmz_access_in in interface web_dmz
access-list web_dmz_access_in extended permit ip any any
access-list web_dmz_access_in remark Eduwidgets
Additional Information:
Forward Flow based lookup yields rule:
in id=0x28a6e870, priority=12, domain=permit, deny=false
hits=912, user_data=0x1db70040, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x242efb38, priority=0, domain=inspect-ip-options, deny=true
hits=540465202, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: INSPECT
Subtype: inspect-sqlnet
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect sqlnet
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x269e4100, priority=70, domain=inspect-sqlnet, deny=false
hits=109, user_data=0x269e3cb8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=1521, dscp=0x0
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
match ip inside any web_dmz any
dynamic translation to pool 10 (x.x.128.1 [Interface PAT])
translate_hits = 1472039, untranslate_hits = 53052
Additional Information:
Forward Flow based lookup yields rule:
out id=0x24593bb8, priority=1, domain=nat-reverse, deny=false
hits=861241, user_data=0x24593948, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: web_dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2014 07:49 AM
okay, it has been solved, I opened a case with cisco. This was a High Priority item for me, i needed to add a nat for the 172 net on the web-dmz. I only had a nat statment for it on the inside.
static (inside,web_dmz) 172.20.0.80 17220.0.80 etc.......
So all is working now, yay Cisco, thanks you for all the help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2014 01:20 AM
Well, the logg error states it quite clearly. You have two NAT statements that match the traffic and it would seem that these statements reference different interfaces.
As Vibhor has mentioned we would need to see your configuration in order to find the statement/s that are causing the issue. Or you could try combing through your configuration yourself in order to find it.
--
Please remember to select a correct answer and rate helpful posts
Please remember to select a correct answer and rate helpful posts
