10-15-2014 08:41 PM - edited 03-11-2019 09:56 PM
Hi
i have an ASA firewall configured with VLAN. All this while to configuration was OK and each server (VM) able to ping each other.
Then we start to configure NAT in the firewall. Somehow (2 days ago) we realize that there is one server that we can't ping from other internal server.
Others server OK.
I have 4 VLAN (12,20,30,50)
i check the ASA log and found this
"5 Oct 16 2014 11:38:48 10.1.12.30 10.1.20.2 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src VLAN12:10.1.12.30 dst VLAN20:10.1.20.2 (type 8, code 0) denied due to NAT reverse path failure"
What could be the NAT rules that prevent the icmp???
================================================
ASA Version 9.1(2)
!
hostname ASHFW01
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 110.74.132.50 255.255.255.248
!
interface GigabitEthernet0/1
no nameif
security-level 100
no ip address
!
interface GigabitEthernet0/1.1
vlan 12
nameif VLAN12
security-level 100
ip address 10.1.12.254 255.255.255.0
!
interface GigabitEthernet0/1.2
vlan 20
nameif VLAN20
security-level 100
ip address 10.1.20.254 255.255.255.0
!
interface GigabitEthernet0/1.3
vlan 30
nameif VLAN30
security-level 100
ip address 10.1.30.254 255.255.255.0
!
interface GigabitEthernet0/1.4
vlan 50
nameif VLAN50
security-level 100
ip address 10.1.50.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone SGT 8
dns domain-lookup VLAN12
dns domain-lookup VLAN20
dns domain-lookup VLAN30
dns domain-lookup VLAN50
dns server-group DefaultDNS
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network TerminalServer-RDP
host 10.1.12.13
object network Exch-SMTP
host 10.1.20.2
object network Exch-POP3
host 10.1.20.2
object network Exch-SMTPS
host 10.1.20.2
object network ExchServer-RDP
host 10.1.20.2
object network MgmtSvr-RDP
host 10.1.12.30
object network Exch-SMTP1
host 10.1.20.2
object network Exch-HTTP
host 10.1.20.2
object network Portal
host 10.1.12.14
description Portal
object service Portal80
service tcp source eq www destination eq www
description Portal80
object service SalesMobile9090
service tcp destination eq 9090
description SalesMobile9090
object network MgmtSvr
host 10.1.12.30
object network TerminalServer
host 10.1.12.13
object network ExchServer
object network ExchSvr
host 10.1.20.2
object service smtp2
service tcp destination eq 587
object network SalesMobile
host 10.1.12.14
description SalesMobile
object-group service rdp tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object object ExchSvr
network-object object MgmtSvr
network-object object TerminalServer
object-group service Exch-Services
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq pop3
service-object object smtp2
service-object tcp destination eq smtp
access-list outside_access_in extended permit icmp any4 any
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group rdp
access-list outside_access_in extended permit object-group Exch-Services any object ExchSvr
access-list outside_access_in extended permit tcp any object Portal eq www
access-list outside_access_in extended permit object SalesMobile9090 any object SalesMobile
access-list outside_access_in extended deny ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu VLAN12 1500
mtu VLAN20 1500
mtu VLAN30 1500
mtu VLAN50 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any VLAN12
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network TerminalServer-RDP
nat (VLAN12,outside) static 110.74.132.51 service tcp 3389 3389
object network Exch-SMTP
nat (VLAN20,outside) static 110.74.132.52 service tcp smtp smtp
object network Exch-POP3
nat (VLAN20,outside) static 110.74.132.52 service tcp https https
object network Exch-SMTPS
nat (VLAN20,outside) static 110.74.132.52 service tcp 587 587
object network ExchServer-RDP
nat (VLAN20,outside) static 110.74.132.52 service tcp 3389 3389
object network MgmtSvr-RDP
nat (VLAN12,outside) static 110.74.132.53 service tcp 3389 3389
object network Exch-SMTP1
nat (VLAN20,outside) static 110.74.132.52 service tcp pop3 pop3
object network Exch-HTTP
nat (VLAN20,outside) static 110.74.132.52 service tcp www www
object network Portal
nat (VLAN12,outside) static 110.74.132.51 service tcp www www
object network MgmtSvr
nat (any,any) static 110.74.132.53
object network ExchSvr
nat (any,any) static 110.74.132.52
object network SalesMobile
nat (VLAN12,outside) static 110.74.132.51 service tcp 9090 9090
!
nat (any,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
==============================================================
Solved! Go to Solution.
10-15-2014 10:03 PM
Hi,
NAT statement is the issue:-
10-15-2014 09:34 PM
Hi,
You can run this packet tracer on the ASA device to check:-
packet input VLAN12 icmp 10.1.12.30 8 0 10.1.20.2 det
Thanks and Regards,
Vibhor Amrodia
10-15-2014 09:55 PM
This is what i get
======================
10-15-2014 10:03 PM
Hi,
NAT statement is the issue:-
10-15-2014 11:10 PM
I see now,
object network ExchSvr
nat (any,any) static 110.74.132.52
Once i removed the nat (any,any) static 110.74.132.52, i'm able to ping to the destination.
The nat above is actually for me to ping from external to the public ip of 110.74.132.52.
If i remove the nat command above, how can i still ping to the public ip of 110.74.132.52 from external??
10-15-2014 11:14 PM
Hi,
You still need that NAt but with specific Interface Names in the NAT configuration.
object network ExchSvr
nat (VLAN20,outside) static 110.74.132.52
This should still help you to ping the Public IP from the internet.
Thanks and Regards,
Vibhor Amrodia
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide