09-20-2011 02:42 PM - edited 03-11-2019 02:27 PM
Hello all. I've got an ASA 5510 that has been working like a charm for some time now. Until now we've not had to nat any resources to the outside. I created network objects for an internal host and an external host. The internal host has to respond to requests on tcp/2001.
The internal host has no problem accessing the internet, but when I attempt to access the internal host from the outside, I get the following:
4 Sep 20 2011 16:20:33 fw_outside_ip 62678 outside_host 2001 Deny tcp src outside:outside_host_ip/62678 dst inside_host:inside_host_ip/2001 by access-group "outside_access_in" [0x0, 0x0]
When I try to use the packet tracer to simulate the outside traffic, I get the following
5 Sep 20 2011 16:17:41 inside_host 2001 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:outside_host/1065 dst inside_int:inside_host/2001 denied due to NAT reverse path failure
I've got over my NAT statement and access rule and can't find anything wrong with either. If someone could take a look I'd appreciate it...
Here are the pertinent NAT and access rule...
static (inside_int,outside) tcp interface 2001 inside_host 2001 netmask 255.255.255.255
access-list outside_access_in extended permit tcp host outside_host host inside_host eq 2001
Thanks!
Solved! Go to Solution.
09-20-2011 02:52 PM
Hello Daniel,
As I can see you are running a version older than 8.3, So in this case you will need to point the Public Ip ( The natted one ) address on the ACL.
So if the Ip adddress of the interface is 31.31.31.31 the ACL should be:
access-list outside_access_in extended permit tcp host outside_host host 31.31.31.31 eq 2001
Access-group outside_access_in in interface outside
I think this is going to solve your problem, Please let me know if you need anything else
Best Regards,
Julio
09-20-2011 02:52 PM
Hello Daniel,
As I can see you are running a version older than 8.3, So in this case you will need to point the Public Ip ( The natted one ) address on the ACL.
So if the Ip adddress of the interface is 31.31.31.31 the ACL should be:
access-list outside_access_in extended permit tcp host outside_host host 31.31.31.31 eq 2001
Access-group outside_access_in in interface outside
I think this is going to solve your problem, Please let me know if you need anything else
Best Regards,
Julio
09-20-2011 05:48 PM
Thanks for the reply Julio. I tried changing the destination IP address in the ACL from my inside host to that of the external IP address of the firewall in the ACL and I still get the same denial message. Do you have any other suggestions?
Thanks!
09-20-2011 05:51 PM
Hello Daniel,
Is it possible that you can post the configuration, and the source Ip address and the destination Ip address of this traffic in order to take a deeper look into this issue,
Regards
Julio
09-21-2011 08:07 AM
Julio,
Thanks again for your reply. Because this was time-sensitive, I opened a TAC with Cisco and they were able to resolve the issue. As you pointed out, the access rule on the outside interface needed to allow access to the outside interface itself. I was adding the outside interface's IP address through ASDM, which did not work. The Cisco tech added the outside IP address through the CLI, which then showed up in ASDM as the interface by name (outside) instead of IP. I'm not sure yet if specifying it by name in ASDM when adding the rule would have had the same effect, but I'll have to test that.
Your help is greatly appreciated...
09-21-2011 09:05 AM
Hello Daniel,
I am glad that now everything is working, as I assumed the problem was the Access-list.
Any other question I will be more than glad to help
Have a great Day,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide