12-12-2011 02:39 PM - edited 03-04-2019 02:36 PM
Hello all. I have seen a few of these 305005 threads and they're usually related to NAT and resolved quickly. I have poked around a little, but can't seem to get it right. I'm using the Real-Time Log Viewer in my ASA 5510 and see lots of these 305005 errors between VPN clients and a server. Packet Tracer says it's being stopped at the PAT_POOL dynamic traslation to pool 1. I'm not solidly sure of what to change.
Thanks in advance!
Result of the command: "show run"
: Saved
:
ASA Version 8.2(1)
!
hostname HOSTNAME
domain-name DOMAIN.NAME
enable password ************ encrypted
passwd ************* encrypted
!
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.1.1 255.255.0.0
!
interface Ethernet0/1.160
vlan 160
nameif Guest
security-level 90
ip address 10.160.150.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 4
ip address 192.168.253.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
retries 3
name-server SERVER1
name-server SERVER7
domain-name DOMAIN.NAME
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service SERVER6-TCP-3500
service-object tcp eq 3500
object-group network DM_INLINE_NETWORK_1
network-object host SERVER1
network-object host SERVER7
object-group network DM_INLINE_NETWORK_2
network-object host SERVER1
network-object host SERVER7
access-list vpn3000_splitTunnelAcl standard permit 192.168.253.0 255.255.255.0
access-list vpn3000_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0
access-list capin extended permit ip host SERVER3 any
access-list capin extended permit ip any host SERVER3
access-list PAT_POOL extended permit ip 192.168.250.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 192.168.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.253.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any host SERVER1 eq smtp
access-list inside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 eq www
access-list inside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq https
access-list inside_access_out extended permit ip 192.168.253.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit tcp any host 1.1.1.1 eq https
access-list outside_access_in extended permit tcp any host 1.1.1.1 eq www
pager lines 24
logging enable
logging console debugging
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu Guest 1500
ip local pool ippool 192.168.250.1-192.168.250.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
global (inside) 1 interface
nat (outside) 1 access-list PAT_POOL outside
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 192.168.253.0 255.255.255.0
nat (DMZ) 101 0.0.0.0 0.0.0.0
nat (Guest) 101 10.160.150.0 255.255.255.0
static (DMZ,outside) tcp interface 8443 SERVER3 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp SERVER1 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www SERVER7 www netmask 255.255.255.255
static (inside,outside) tcp interface https SERVER7 https netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 https SERVER1 https netmask 255.255.255.255
static (inside,outside) tcp 2.2.2.2 www SERVER1 www netmask 255.255.255.255
static (DMZ,inside) 192.168.253.0 192.168.253.0 netmask 255.255.255.0
static (DMZ,outside) 3.3.3.3 SERVER6 netmask 255.255.255.255
static (inside,DMZ) 10.10.0.0 10.10.0.0 netmask 255.255.0.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_inside in interface DMZ
!
: end
Solved! Go to Solution.
12-14-2011 11:08 AM
Just wondering why this was used .
global (inside) 1 interface
nat (outside) 1 access-list PAT_POOL outside
Ajay
12-15-2011 08:17 AM
Extra information:
******************
The conflict between forward and reverse flows for the traffic was rectified.
PAT implementation is not necesary anymore for the customer deployment.
Problem information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (outside) 1 access-list PAT_POOL outside
nat-control
match ip outside 192.168.250.0 255.255.255.0 inside 10.10.0.0 255.255.0.0
dynamic translation to pool 1 (10.10.1.1 [Interface PAT])
translate_hits = 914415, untranslate_hits = 5635
Additional Information:
Forward Flow based lookup yields rule:
out id=0xab959930, priority=2, domain=nat-reverse, deny=false
hits=338576, user_data=0xab9596c0, cs_id=0x0, flags=0x0, protocol=0
src ip=10.10.0.0, mask=255.255.0.0, port=0
dst ip=192.168.250.0, mask=255.255.255.0, port=0, dscp=0x0
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:x dst outside:x denied due to NAT reverse path failure
NAT rpf check should always block traffic if different NAT rules are matched for forward and reverse flows. This may happen when there are conflicting Twice NAT rules configured for different directions.
If a NAT rule is configured, this table shows the reverse of what is listed in the translate table (show asp table classify domain nat), NAT (rpf-check): Consider that the source and destination IP of the real (non-translated) packets were flipped, and record what NAT rule that packet would hit (in this reverse direction).
12-13-2011 02:30 AM
can you please also port log msgs ?
12-13-2011 09:32 AM
This log is just 14 seconds long:
Severity | Date | Time | Syslog ID | Source IP | Source Port | Destination IP | Destination Port | Description |
3 | Dec 12 2011 | 15:45:04 | 305005 | 192.168.250.106 | 137 | No translation group found for udp src inside:SERVER1/137 dst outside:192.168.250.106/137 | ||
3 | Dec 12 2011 | 15:45:00 | 305005 | 192.168.250.98 | No translation group found for icmp src inside:10.10.70.249 dst outside:192.168.250.98 (type 8, code 0) | |||
3 | Dec 12 2011 | 15:45:00 | 305005 | 192.168.250.106 | No translation group found for icmp src inside:SERVER1dst outside:192.168.250.106 (type 8, code 0) | |||
3 | Dec 12 2011 | 15:44:56 | 305005 | 192.168.250.105 | 6004 | No translation group found for udp src inside:SERVER1/59052 dst outside:192.168.250.105/6004 | ||
3 | Dec 12 2011 | 15:44:56 | 305005 | 192.168.250.106 | No translation group found for icmp src inside:SERVER1dst outside:192.168.250.106 (type 8, code 0) | |||
3 | Dec 12 2011 | 15:44:56 | 305005 | 192.168.250.104 | 6004 | No translation group found for udp src inside:SERVER1/59037 dst outside:192.168.250.104/6004 | ||
3 | Dec 12 2011 | 15:44:56 | 305005 | 192.168.250.105 | 137 | No translation group found for udp src inside:SERVER1/137 dst outside:192.168.250.105/137 | ||
3 | Dec 12 2011 | 15:44:51 | 305005 | 192.168.250.105 | 137 | No translation group found for udp src inside:SERVER1/137 dst outside:192.168.250.105/137 | ||
3 | Dec 12 2011 | 15:44:51 | 305005 | 192.168.250.78 | 6004 | No translation group found for udp src inside:SERVER1/59029 dst outside:192.168.250.78/6004 | ||
3 | Dec 12 2011 | 15:44:51 | 305005 | 192.168.250.105 | 137 | No translation group found for udp src inside:SERVER1/137 dst outside:192.168.250.105/137 | ||
3 | Dec 12 2011 | 15:44:51 | 305005 | 192.168.250.86 | 6004 | No translation group found for udp src inside:SERVER1/58708 dst outside:192.168.250.86/6004 | ||
3 | Dec 12 2011 | 15:44:47 | 305005 | 192.168.250.101 | 6004 | No translation group found for udp src inside:SERVER1/58690 dst outside:192.168.250.101/6004 | ||
3 | Dec 12 2011 | 15:44:47 | 305005 | 192.168.250.86 | 6004 | No translation group found for udp src inside:SERVER1/58687 dst outside:192.168.250.86/6004 | ||
3 | Dec 12 2011 | 15:44:47 | 305005 | 192.168.250.79 | 6004 | No translation group found for udp src inside:SERVER1/58671 dst outside:192.168.250.79/6004 |
12-14-2011 05:49 AM
Please add-
access-list outside_nat0_outbound extended permit ip 192.168.250.0 255.255.255.0 192.168.250.0 255.255.255.0
nat(outside) 0 access-list outside_nat0_outbound
let me know after adding this if you still see any logs.
Thanks
Ajay
12-14-2011 10:41 AM
Ajay, thank you for the suggestion. I put that in the configuration but the error is still showing in the logs and the exchange server is unable to contact the 6004 port on the VPN clients.
I'm still a little confused with the issue becauase we applied that on the outside NAT'ing the client to itself, but the translation log says the source is (inside) interface with an (outside) destination [server to client].
I escalated this to cisco TAC and will post their solution after they contact me.
Thanks again for your help.
12-14-2011 11:08 AM
Just wondering why this was used .
global (inside) 1 interface
nat (outside) 1 access-list PAT_POOL outside
Ajay
12-14-2011 11:15 AM
Actually, Cisco TAC put that in last year when I first set the ASA up. It confused me when he put it in, but he's TAC not me, so I went with it.
Funny thing is that the new SR created for this thread, that's the first thing the engineer asked too.
12-14-2011 12:25 PM
yeah thats the frist i would remove to make it little simple . For sure that logs has to do with NAT not able to find nat rule for communication.
Thanks
Ajay
12-14-2011 02:03 PM
Removing NAT and allowing the vpn client pool to talk directly to the servers fixed the problem. Kudos to you for finding that! Your help is greatly appreciated.
The engineer explained some scenarios where this PAT config would be used and it reminded me, vaguely, of why it was there a year ago when we had two firewalls and the default route for the network went out the other device. When we changed out devices I forgot why we put that PAT there and just assumed we needed it. We needed it at the time, but that was awhile ago. It makes total sense now that I think about it. Now all the traffic goes out this device and the server can't talk to a specific service port on each vpn client through the PAT, that's why the random sequencing worked for all the other traffic.
Anyway, thanks again !
12-15-2011 08:17 AM
Extra information:
******************
The conflict between forward and reverse flows for the traffic was rectified.
PAT implementation is not necesary anymore for the customer deployment.
Problem information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (outside) 1 access-list PAT_POOL outside
nat-control
match ip outside 192.168.250.0 255.255.255.0 inside 10.10.0.0 255.255.0.0
dynamic translation to pool 1 (10.10.1.1 [Interface PAT])
translate_hits = 914415, untranslate_hits = 5635
Additional Information:
Forward Flow based lookup yields rule:
out id=0xab959930, priority=2, domain=nat-reverse, deny=false
hits=338576, user_data=0xab9596c0, cs_id=0x0, flags=0x0, protocol=0
src ip=10.10.0.0, mask=255.255.0.0, port=0
dst ip=192.168.250.0, mask=255.255.255.0, port=0, dscp=0x0
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:x dst outside:x denied due to NAT reverse path failure
NAT rpf check should always block traffic if different NAT rules are matched for forward and reverse flows. This may happen when there are conflicting Twice NAT rules configured for different directions.
If a NAT rule is configured, this table shows the reverse of what is listed in the translate table (show asp table classify domain nat), NAT (rpf-check): Consider that the source and destination IP of the real (non-translated) packets were flipped, and record what NAT rule that packet would hit (in this reverse direction).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide