03-24-2020 12:25 PM - edited 03-24-2020 10:56 PM
Hello Experts,
I am new to security, please bear with me, i am practising NAT on Cisco ASA and referring below link.
The following example configures dynamic NAT for dmz users on a private network when they access the outside. Also, when dmz users connect to an outside web server, that web server address is translated to an address that appears to be on the dmz network.
ASA-A(config)# sh run object
object network nat-pool
range 12.0.0.50 12.0.0.60
object network dmz-subnet
subnet 172.16.10.0 255.255.255.0
object network obj-r5
host 5.5.5.5
object network obj-r2
host 12.0.0.2
When i tried telnet 5.5.5.5 (R5 loopback) from R4. I am getting error "Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src dmz:172.16.10.4/28454 dst outside:5.5.5.5/23 denied due to NAT reverse path failure
%ASA-7-609002: Teardown local-host outside:5.5.5.5 duration 0:00:00. When packet going from R4 src172.16.10.4 is translated to any random ip from nat pool for eg 12.0.0.56 as there is nat statement configured. But when ASA receive packet from R5 src is 5.5.5.5 and dest is 12.0.0.56. So does ASA untranslates 12.0.0.56 to 172.16.10.4 or matches below nat rule first
object network obj-r5
nat (outside,dmz) static 172.16.10.50
When i try to telnet 172.16.10.50 from R4, i can telnet to R5
I am not able to understand this flow. Could someone please help here
Many thanks,
Nick
Solved! Go to Solution.
03-27-2020 05:40 AM
Hi,
The ASA does not allow the session from R4 to R5 (5.5.5.5) to flow, because it knows by parsing the config, that when the reply comes to the ASA, with a source of 5.5.5.5 and destination of R4, the 5.5.5.5 gets NAT'ed into 172.16.10.50, and this is a broken session from the imitator's perspective (it sends packets with source R4 and destination 5.5.5.5, the reply should be with source of 5.5.5.5 and destination of R4, which is not the case as ASA NAT's 5.5.5.5).
As said, per you config and desired outcome, you need to initiate traffic from R4 towards the NAT'ed/mapped address of R5, not towards the real one.
Regards,
Cristian Matei.
03-24-2020 01:35 PM
Hi,
Post your full NAT and object/object group configurations.
Regards,
Cristian Matei.
03-24-2020 10:44 PM
Hi Cristian,
Please find below snap.
Thanks
03-25-2020 12:11 AM
Hi,
Per you NAT configuration, specifically "nat (outside,dmz) source static 5.5.5.5 172.16.10.50", it means that the Loopback of R5 (5.5.5.5) is visible on the DMZ side of the ASA as 172.16.10.50. So when you initiate traffic from R4 towards the Loopback of R5, you should initiate it towards 172.16.10.50, not towards 5.5.5.5.
Regards,
Cristian Matei.
03-25-2020 04:24 AM
ok but if i telnet 5.5.5.5 from R4
ASA check nat (dmz,outside) dynamic nat-pool statement and for eg translated 172.16.10.4 to 12.0.0.56.
1)But what happen when asa receive reply from R5. src is 5.5.5.5 destination is eg 12.0.0.56. ASA translates 12.0.0.56 to 172.16.10.4
OR
2)Considers checking nat (outside,dmz) static 172.16.10.50
How the checks are performed here ? will it check connection table first or nat statement ?
Thanks
03-27-2020 05:40 AM
Hi,
The ASA does not allow the session from R4 to R5 (5.5.5.5) to flow, because it knows by parsing the config, that when the reply comes to the ASA, with a source of 5.5.5.5 and destination of R4, the 5.5.5.5 gets NAT'ed into 172.16.10.50, and this is a broken session from the imitator's perspective (it sends packets with source R4 and destination 5.5.5.5, the reply should be with source of 5.5.5.5 and destination of R4, which is not the case as ASA NAT's 5.5.5.5).
As said, per you config and desired outcome, you need to initiate traffic from R4 towards the NAT'ed/mapped address of R5, not towards the real one.
Regards,
Cristian Matei.
03-27-2020 07:51 AM
Thankyou very much Cristian for your valuable comment.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide