Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
783
Views
0
Helpful
6
Replies

Reverse NAT issue

mahesh18
Level 6
Level 6

‎05-11-2018 03:22 PM - edited ‎02-21-2020 07:45 AM

Traffic is flowing from DMZ  where source IP is public and coming to inside on port 1812

 


9 19:28:17 efw-1 %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src DMZ86:192.41.x.x/54535 dst inside:10.22.183.102/1812 denied due to NAT reverse path failure

 

How can i fix this?

 

Regards

MAhesh

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎05-11-2018 03:38 PM

Hi,
Can you provide the configuration so we can have a look?
Can you run packet tracer and upload the output.
0 Helpful

mahesh18
Level 6
Level 6
In response to Rob Ingram

‎05-12-2018 09:34 AM

here is packet tracer

 

packet-tracer input DMZ86 udp 192.41.x.x 1024  10.22.183.102 1812

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.0.0.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ86_acl in interface DMZ86
access-list DMZ86_acl extended permit udp host 192.41.x.x host 10.22.183.102 eq 1812 log
Additional Information:

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ86,DMZ64) 192.41.148.96 192.41.148.96 netmask 255.255.255.224
nat-control
match ip DMZ86 192.41.148.96 255.255.255.224 DMZ64 any
static translation to 192.41.148.96
translate_hits = 0, untranslate_hits = 33
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 2 0.0.0.0 0.0.0.0
nat-control
match ip inside any DMZ86 any
dynamic translation to pool 2 (192.41.148.97)
translate_hits = 895580, untranslate_hits = 1309
Additional Information:

Result:
input-interface: DMZ86
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Rob Ingram
VIP
VIP
In response to mahesh18

‎05-12-2018 10:01 AM

Please upload the config
0 Helpful

mahesh18
Level 6
Level 6
In response to Rob Ingram

‎05-12-2018 11:33 AM

let me know which specfic config you need 

i can put that as it has lot of config?

0 Helpful

Rob Ingram
VIP
VIP
In response to mahesh18

‎05-12-2018 11:38 AM

Ok, please provide the running config for interfaces, nat, objects, access-list, routes

Can you also upload the output of "show nat"
0 Helpful

mahesh18
Level 6
Level 6
In response to Rob Ingram

‎05-12-2018 11:40 AM

config attached

 

seems i will need no nat from dmz 86 to inside?

Preview file
755 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card