cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1555
Views
0
Helpful
6
Replies

NAT reverse path failure after upgrading from 8.4(1) to 8.4(4.1)

Joerg -
Level 1
Level 1

Hello there,

after upgrading an ASA5520 from 8.4(1) to 8.4(4.1) I ran into the following trouble:

  • Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.149.21/53 dst inside:192.168.37.123/53  denied due to NAT reverse path failure
  • Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.150.157/53 dst inside:192.168.37.123/53   denied due to NAT reverse path failure
  • Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.137.93/53 dst inside:192.168.37.123/53   denied due to NAT reverse path failure
  • Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.215.9/53 dst inside:192.168.37.123/53   denied due to NAT reverse path failure
  • Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.216.11/53 dst inside:192.168.37.123/53   denied due to NAT reverse path failure
  • Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.146.7/53 dst inside:192.168.37.123/53   denied due to NAT reverse path failure
  • Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.148.2/53 dst inside:192.168.37.123/53   denied due to NAT reverse path failure
  • Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.145.1/53 dst inside:192.168.37.123/53   denied due to NAT reverse path failure
  • Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.147.5/53 dst inside:192.168.37.123/53   denied due to NAT reverse path failure

Everything worked fine before... I know about the problems when upgrading to 8.3 but didn't found a hint on upgrading from 8.4(1) to 8.4(4.1).

All the subnets mentioned above are conencted via VPN.

If anyone ran into this as well or has any clue please drop me a line...

Best regards,

Joerg

6 Replies 6

varrao
Level 10
Level 10

Can you share your NAT configuration?

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Hi Varun,

thanks for the answer.

Attached you'll find the NAT configuration.

Thanks in advance,

Joerg

Can you tell me the name of the object for these two ip's??

192.168.149.21/53 192.168.37.123/53

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

192.168.149.0/24 LAN-NewYork

192.168.37.0/17 LAN-Aix

You're welcome...

Best regards,

Joerg

I cannot see any nat statement from LAN-NewYork to LAN-Aix, are you missing any nat's after the upgrade, can you add a nat for this trafic as well?

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

This is actually a working NAT with 8.4(1).

LAN-Aix is included in object-group Remote_Offices...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: