05-09-2012 03:34 PM - edited 03-11-2019 04:04 PM
Using ASA 8.2(5)
I'm trying to figure out how allow traffic from a host on Vlan2 to Vlan1 using the public address that is NAT'd on the outside interface to a device on Vlan1.
Desired traffic flow
10.100.8.123 (vlan2) ====> 50.50.50.50 (public address) ====> 10.100.1.122 (vlan1)
Current Config
!
interface Vlan1
nameif vlan1
security-level 100
ip address 10.100.1.254 255.255.255.0
!
interface Vlan2
nameif vlan2
security-level 100
ip address 10.100.8.254 255.255.255.0
!
interface Vlan200
nameif outside
security-level 0
ip address 192.168.50.75 255.255.255.0
static (vlan1,outside) 50.50.50.50 10.100.1.122 netmask 255.255.255.255
global (outside) 101 interface
access-group out_acl in interface outside
nat (vlan1) 0 access-list inside_outbound_nat0_acl
nat (vlan1) 101 0.0.0.0 0.0.0.0
nat (vlan2) 0 access-list inside_outbound_nat0_acl
nat (vlan2) 101 0.0.0.0 0.0.0.0
access-list inside_outbound_nat0_acl extended permit ip 10.100.8.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 10.100.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list out_acl extended permit icmp any host 50.50.50.50 object-group ping log
access-list out_acl extended permit tcp any host 50.50.50.50 object-group Ports-Servers-PVO
object-group service Ports-Servers-PVO tcp
port-object eq www
port-object eq https
port-object eq 3389
As you can see in the above config, traffic can flow directly from vlan2 to vlan1 (and back), and outside traffic can access 10.100.1.122 through the translated address 50.50.50.50. These functions are working, but when vlan2 tries to access 10.100.1.122 on vlan1 through the public (50.50.50.50) address, the error message below is logged:
305013 172.20.1.1 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.100.8.123 dst vlan1:172.20.1.1 (type 8, code 0) denied due to NAT reverse path failure
Please help! Like all things Cisco, I feel like the solution would be simple yet far away.
05-09-2012 03:44 PM
Hi Pete,
you need to add these:
static (vlan1,vlan2) 50.50.50.50 10.100.1.122
same-security-traffic permit inter-interface
This should work.
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-10-2012 07:43 AM
Thank you Varun, I added this line to the config:
static (vlan1,vlan2) 50.50.50.50 10.100.1.122
And verified that this line was already in the config:
same-security-traffic permit inter-interface
I've also added this ACL
access-list inside_outbound_nat0_acl extended permit ip 10.0.0.0 255.0.0.0 172.20.0.0 255.255.0.0
But the same error message below was generated when I tried to ping 172.20.1.1 from the 10.100.8.0 network:
305013 50.50.50.50 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.100.8.123 dst vlan1:50.50.50.50 (type 8, code 0) denied due to NAT reverse path failure
What am I missing to make this work? (I ran the clear xlate command after making these changes).
05-10-2012 08:17 AM
Hi Pete,
Please post :
show run static
show run route
show access-list inside_outbound_nat0_acl
Anyway if you want this traffic get nat-ed, it will not happend for sure with if you add the flow on nat exempt acl.
Dan
05-10-2012 08:30 AM
This is the output from the sh run static. I used 50.50.50.50 in my example to represent what is 172.20.1.1 in the static entries below.
static (vlan1,outside) 172.20.1.1 10.100.1.122 netmask 255.255.255.255
static (vlan1,vlan2) 172.20.1.1 10.100.1.122 netmask 255.255.255.255
sh run route
route outside 0.0.0.0 0.0.0.0 192.168.50.1 1
sh run access-list inside_outbound_nat0_acl
access-list inside_outbound_nat0_acl extended permit ip 10.100.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list inside_outbound_nat0_acl extended permit ip 10.100.8.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 10.100.8.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 10.0.0.0 255.0.0.0 172.20.0.0 255.255.0.0
Can you help me understand what this means?
Anyway if you want this traffic get nat-ed, it will not happend for sure with if you add the flow on nat exempt acl.
Are you saying that I need to add a flow on nat exempt acl?
05-10-2012 08:58 AM
Pete first of all
Anyway if you want this traffic get nat-ed, it will not happend for sure with if you add the flow on nat exempt acl.Are you saying that I need to add a flow on nat exempt acl?
No, I am sayin that you should not add this traffic ( 10.100.8.0/24 ->10.100.1.0/24 ) on nat exemption.
This is what I saw in your initial config :
nat (vlan1) 0 access-list inside_outbound_nat0_acl
nat (vlan2) 0 access-list inside_outbound_nat0_acl
access-list inside_outbound_nat0_acl extended permit ip 10.100.8.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 10.100.1.0 255.255.255.0 10.0.0.0 255.0.0.0
You must reconfigure your static statement:
no static (vlan1,vlan2) 172.20.1.1 10.100.1.122 netmask 255.255.255.255
static (vlan1,vlan2) 50.50.50.50 10.100.1.122 netmask 255.255.255.255
Dan
05-10-2012 11:08 AM
Dan, I think you did not understand what I was saying when I said "I used 50.50.50.50 in my example to represent what is 172.20.1.1 in the static entries below". The 50.50.50.50 address was only used as an example so that it would be apparent that I was trying to route traffic from an inside vlan to a public address on the ASA which is NAT'd to another address on the inside. Instead of the 50.50.50.50 address, I am actually using 172.20.1.1, so my config looks like this:
Current Config
!
interface Vlan1
nameif vlan1
security-level 100
ip address 10.100.1.254 255.255.255.0
!
interface Vlan2
nameif vlan2
security-level 100
ip address 10.100.8.254 255.255.255.0
!
interface Vlan200
nameif outside
security-level 0
ip address 192.168.50.75 255.255.255.0
static (vlan1,outside) 172.20.1.1 10.100.1.122 netmask 255.255.255.255
static (vlan1,vlan2) 172.20.1.1 10.100.1.122 netmask 255.255.255.255
global (outside) 101 interface
access-group out_acl in interface outside
nat (vlan1) 101 0.0.0.0 0.0.0.0
nat (vlan2) 101 0.0.0.0 0.0.0.0
nat (outside) 0 access-list inside_outbound_nat0_acl
access-list inside_outbound_nat0_acl extended permit ip 10.100.8.0 255.255.255.0 10.100.1.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 10.100.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list out_acl extended permit tcp any host 10.100.1.122
access-list out_acl extended permit icmp any host 172.20.1.1 object-group ping log
access-list out_acl extended permit tcp any host 172.20.1.1 object-group Ports-Servers-PVO
object-group service Ports-Servers-PVO tcp
port-object eq www
port-object eq https
port-object eq 3389
My question is: How can I allow 10.100.8.0/24 on vlan2 access to 172.20.1.1 (which is the public address NAT'd to the vlan1 address 10.100.1.122)? What in my configuration needs to be changed/added?
I tried removing the two ACL entries from the inside_outbound_nat0_acl but that only caused the traffic between vlan1 and vlan2 to quit working, it did not help with allowing vlan2 access to the 172.20.1.1 address.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide