NAT Assistance

willb1 · ‎07-26-2023

Hi. I have a virtual Firepower Management Center and an FTD-1010 on which I've configured a site-to-site VPN for SIP traffic.

The tunnel is up and I have a NAT rule configured but, when I perform a packet trace, I'm getting the error:

Drop-reason: (inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched

I have the NAT rules below configured:

Source - 10.107.3.4
Destination - 172.26.200.5

NAT Rule 1
NAT Rules before, Manual NAT Rule, Static
Source Interface: Inside
Destination Interface: Outside

Translation
Original Source: 10.107.3.4
Original Destination: 172.26.200.5

Translated Source: 10.107.3.4
Translated Destination: 172.26.200.5


NAT Rule 2
NAT Rules after, Manual NAT Rule, Dynamic
Source Interface: Inside
Destination Interface: Outside

Translation
Original Source: any
Original Destination:

Translated Source: Destination Interface IP
Translated Destination:

MHM Cisco World · ‎07-26-2023

10.107.3.4

107 not 100 so this NAT is not exception NAT and I think it make traffic drop

willb1 · ‎07-26-2023

That was a typo, I corrected it.

MHM Cisco World · ‎07-26-2023

Can i see packet tracer of this traffic

Also you test icmp are you enable icmp inspection

Flavio Miranda · ‎07-26-2023

Hi @willb1

Sounds like asymmetric traffic. How your topology looks like?

willb1 · ‎07-26-2023

Thank you all for the responses. I was initially running the packet trace for 10.107.3.4 > 172.26.200.5 but, when I switched it around to 172.26.200.5 > 10.107.3.4 I could see that there was a Snort rule blocking the traffic. I added a prefilter rule to FastPath the traffic and that resolved the problem.

Thanks again!

MHM Cisco World · ‎07-26-2023

You are so welcome friend

Have a nice summer

MHM