Solved: Re: object network obj_any-02 subnet 0.0.0.0 0.0.0.0

Warren · ‎08-02-2018

Good day I've found similar post to my question but all I've done is confused myself some more

I was troubleshooting an issue between a connection sourcing from my DMZ to my internal network when I received this following message

Aug 01 2018 10:48:04: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src DMZ1:10.17.178.22/46002 dst INSIDE:10.13.50.107/53 denied due to NAT reverse path failure

Long story short when I ran packet tracer to see what is going on it said that traffic was being drop

due to this:

object network obj_any-02

subnet 0.0.0.0 0.0.0.0

object network obj_any-02

nat (INSIDE,DMZ1) dynamic obj-0.0.0.0

what is the meaning of this?

Thank you in advance

Warren

Troy Jackson · ‎08-02-2018

What the configuration states is that you are using PAT translation from your inside interface to the DMZ1 interface. The ”dynamic” keyword makes it a PAT and the ”obj-0.0.0.0” object is the IP address or addresses used for the PAT. Are you intending to PAT out to the DMZ1? If you are you can't source traffic from DMZ1 to the inside address behind the PAT. The reason I asked about the object ”obj-0.0.0.0” is to see what IP or IPs are configured under that object. You can use the command show run object id obj-0.0.0.0 in order to find out it is being used for the PAT. But it seems like this is configured incorrectly.

Please remember to rate useful posts, by clicking on the star below.
-Troy J.

View solution in original post

Troy Jackson · ‎08-02-2018

What is defined in this object "obj-0.0.0.0"?

Please remember to rate useful posts, by clicking on the star below.
-Troy J.

Warren · ‎08-02-2018

This is what confgured

object network obj_any-02

subnet 0.0.0.0 0.0.0.0

object network obj_any-02

nat (INSIDE,DMZ1) dynamic obj-0.0.0.0

I don't see anything else, the above is all that I can find related to this, so that I why I am kind of confused as to what this does

Troy Jackson · ‎08-02-2018

What the configuration states is that you are using PAT translation from your inside interface to the DMZ1 interface. The ”dynamic” keyword makes it a PAT and the ”obj-0.0.0.0” object is the IP address or addresses used for the PAT. Are you intending to PAT out to the DMZ1? If you are you can't source traffic from DMZ1 to the inside address behind the PAT. The reason I asked about the object ”obj-0.0.0.0” is to see what IP or IPs are configured under that object. You can use the command show run object id obj-0.0.0.0 in order to find out it is being used for the PAT. But it seems like this is configured incorrectly.

Please remember to rate useful posts, by clicking on the star below.
-Troy J.

Warren · ‎08-02-2018

Quick back ground the original engineer left the company so I am new here I wasn't sure that this is for

but I did what you asked and get the following

FW-CHOF-INET1# sh run object id obj-0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
FW-CHOF-INET1#

We where sourcing from a server within the DMZ to a server in the internal network when I started getting connectivity issues. I removed this statement and connectivity is good now. I was just wondering what that this statement does as it didn't make any sense to me. It looks like it is doing a Pat to nothing.

Troy Jackson · ‎08-02-2018

It did create a PAT but it was unusable based on the IP address in the object. I'm not sure why the pervious engineer would add that configuration. But it's good that everything in working.

Please remember to rate useful posts, by clicking on the star below.
-Troy J.

Warren · ‎08-02-2018

Thank you Troy for your help much appreciated!!!

Thank you again and have a great weekend!!!!

Thank you

Warren