08-02-2018 07:51 AM - edited 02-21-2020 08:02 AM
Good day I've found similar post to my question but all I've done is confused myself some more
I was troubleshooting an issue between a connection sourcing from my DMZ to my internal network when I received this following message
Aug 01 2018 10:48:04: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src DMZ1:10.17.178.22/46002 dst INSIDE:10.13.50.107/53 denied due to NAT reverse path failure
Long story short when I ran packet tracer to see what is going on it said that traffic was being drop
due to this:
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj_any-02
nat (INSIDE,DMZ1) dynamic obj-0.0.0.0
what is the meaning of this?
Thank you in advance
Warren
Solved! Go to Solution.
08-02-2018 09:31 AM - edited 08-02-2018 09:35 AM
What the configuration states is that you are using PAT translation from your inside interface to the DMZ1 interface. The ”dynamic” keyword makes it a PAT and the ”obj-0.0.0.0” object is the IP address or addresses used for the PAT. Are you intending to PAT out to the DMZ1? If you are you can't source traffic from DMZ1 to the inside address behind the PAT. The reason I asked about the object ”obj-0.0.0.0” is to see what IP or IPs are configured under that object. You can use the command show run object id obj-0.0.0.0 in order to find out it is being used for the PAT. But it seems like this is configured incorrectly.
08-02-2018 08:57 AM
What is defined in this object "obj-0.0.0.0"?
08-02-2018 09:01 AM
This is what confgured
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj_any-02
nat (INSIDE,DMZ1) dynamic obj-0.0.0.0
I don't see anything else, the above is all that I can find related to this, so that I why I am kind of confused as to what this does
08-02-2018 09:31 AM - edited 08-02-2018 09:35 AM
What the configuration states is that you are using PAT translation from your inside interface to the DMZ1 interface. The ”dynamic” keyword makes it a PAT and the ”obj-0.0.0.0” object is the IP address or addresses used for the PAT. Are you intending to PAT out to the DMZ1? If you are you can't source traffic from DMZ1 to the inside address behind the PAT. The reason I asked about the object ”obj-0.0.0.0” is to see what IP or IPs are configured under that object. You can use the command show run object id obj-0.0.0.0 in order to find out it is being used for the PAT. But it seems like this is configured incorrectly.
08-02-2018 09:39 AM
Quick back ground the original engineer left the company so I am new here I wasn't sure that this is for
but I did what you asked and get the following
FW-CHOF-INET1# sh run object id obj-0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
FW-CHOF-INET1#
We where sourcing from a server within the DMZ to a server in the internal network when I started getting connectivity issues. I removed this statement and connectivity is good now. I was just wondering what that this statement does as it didn't make any sense to me. It looks like it is doing a Pat to nothing.
08-02-2018 10:14 AM
It did create a PAT but it was unusable based on the IP address in the object. I'm not sure why the pervious engineer would add that configuration. But it's good that everything in working.
08-02-2018 10:18 AM
Thank you Troy for your help much appreciated!!!
Thank you again and have a great weekend!!!!
Thank you
Warren
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide