cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1683
Views
5
Helpful
5
Replies

Server got lost from LAN while allowing Internet connectivity

Unit4_cognizant
Beginner
Beginner

Hello Team,

 

Seeking your help with an issue I've been facing deploying a new ASA5555 FW. We have a server behind the LAN interface which is well reachable over Cisco AnnyConnect profile, that server needs also internet connectivity and here is when the issue comes up; after configuring the NAT to allow internet traffic it is no longer reachable over AnyConnect and what I can see in the logs is a kind of asymmetric NAT. 

 

FW details: 

Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.8(2)151

Hardware: ASA5555, 16384 MB RAM, CPU Lynnfield 2793 MHz, 1 CPU (8 cores)
ASA: 8546 MB RAM, 1 CPU (2 cores)
Internal ATA Compact Flash, 8192MB

 

The server is directly connected on LAN interface 

OSLO-ASA01# show arp | in 10.47.20.245
LAN 10.47.20.245 0015.5db3.a9f7 12

 

ACL to allow traffic from this server over the Internet (WAN Interface) 

access-list LAN_access_in extended permit ip host 10.47.20.245 any log

 

NAT to translate source IP to WAN interface IP for Internet traficc 

nat (LAN,WAN) source dynamic 10.47.20.245 interface

 

As soon as that NAT gets applied the internet is allowed to go over the internet but is lost from the LAN (cisco anyconnect) and I can see below error in the logs

 

5Feb 19 202109:01:4430501310.47.200.1LOCAL10.47.20.245 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src WAN:10.47.200.1(LOCAL\Jaime.Viera@unit4.com) dst LAN:10.47.20.245 (type 8, code 0) denied due to NAT reverse path failure

 

Does someone know what would be the issue? I need to have this server (and many others to come up) reachable over the Cisco AnyConnect but also able to have Internet traffic

 

I would be able to provide further config details and logs/debug if needed 

 

Thanks in advance for your help

 

Jaime,    

2 Accepted Solutions

Accepted Solutions

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@Unit4_cognizant 

You probably need a NAT exemption rule betweeen the LAN and RAVPN networks, as the traffic is probably being unintentionally being natted.

View solution in original post

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@Unit4_cognizant

You need a rule something like this:-

 

nat (INSIDE,OUTSIDE) source static LAN LAN destination static RAVPN RAVPN no-proxy-arp 

You may need to amend the interfaces, you will obviously have to amend the groups used. If that fails, provide your configuration and the output of "show nat detail".

 

View solution in original post

5 Replies 5

Unit4_cognizant
Beginner
Beginner

re is a packet-tracer result 

 

OSLO-ASA01# packet-tracer input LAN icmp 10.47.200.2 8 0 10.47.20.245 detailed

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7822fa4da0, priority=13, domain=capture, deny=false
hits=4348289, user_data=0x7f781925d3e0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=LAN, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f78169efd80, priority=1, domain=permit, deny=false
hits=982379, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=LAN, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.47.20.245 using egress ifc LAN

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group LAN_access_in in interface LAN
access-list LAN_access_in extended permit ip any object Corplan
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f78177d0860, priority=13, domain=permit, deny=false
hits=813, user_data=0x7f780a483580, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=LAN, output_ifc=any

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7815c912c0, priority=0, domain=nat-per-session, deny=true
hits=19503, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f78171eb830, priority=0, domain=inspect-ip-options, deny=true
hits=15286, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=LAN, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f78178264a0, priority=70, domain=inspect-icmp, deny=false
hits=212, user_data=0x7f781945ba90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=LAN, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f78171eb040, priority=66, domain=inspect-icmp-error, deny=false
hits=726, user_data=0x7f78171ea5b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=LAN, output_ifc=any

Phase: 9
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f7817d00520, priority=13, domain=debug-icmp-trace, deny=false
hits=1385, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=LAN, output_ifc=any

Phase: 10
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f7817d00520, priority=13, domain=debug-icmp-trace, deny=false
hits=1386, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=LAN, output_ifc=any

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f7815c912c0, priority=0, domain=nat-per-session, deny=true
hits=19505, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f78171eb830, priority=0, domain=inspect-ip-options, deny=true
hits=15288, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=LAN, output_ifc=any

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 25809, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_dbg_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_dbg_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: LAN
output-status: up
output-line-status: up
Action: allow

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@Unit4_cognizant 

You probably need a NAT exemption rule betweeen the LAN and RAVPN networks, as the traffic is probably being unintentionally being natted.

Hello Rob,

Thanks for taking a look, that mak sense but I have a pplieda couple of NATs trying to achive this and still same issue, probably I’m doing it wrong.

Would you guide me how to achive this? Any suggestion?

Best regards,

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@Unit4_cognizant

You need a rule something like this:-

 

nat (INSIDE,OUTSIDE) source static LAN LAN destination static RAVPN RAVPN no-proxy-arp 

You may need to amend the interfaces, you will obviously have to amend the groups used. If that fails, provide your configuration and the output of "show nat detail".

 

Got to solve the issue now with below NAT

nat (LAN,WAN) source static Corplan Corplan destination static Corplan Corplan no-proxy-arp route-lookup

Corplan is our whole internal network.

Still unclear how it works to be honest, but glad it is working fine, now that server is having internet Access and still rechable through the cisco annyconnect VPN

Thanks so much for your help
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers