cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1002
Views
0
Helpful
4
Replies
Beginner

NAT reverse path failure

Hello.

I have ASA2 established two VPNs

Like 1st net - ASA1 <-> ASA2 <-> ASA3 - second net

ASA1 - 1'st net <--  old-snoopy is here

ASA3 - 2'nd net <-- laprese-dns is here

ASA1,2,3 connected to each otherf by VPN l2l tunnels

I put following nat exemption rules to ASA2 config:

object network laprise-dns

host 172.28.4.33

object network old-snoopy

host 150.150.83.58

nat (any,any) source static old-snoopy old-snoopy destination static laprise-dns laprise-dns

when I'm trying to access from 1st net server 'old-snoopy' to server 'laprise-dns' situated in second net connection fall and I can see followin\g in ASA2 logs:

-------

Jun 06 2011 15:37:57: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:snoopy dst outside:172.28.4.33 (type 8, code 0) denied due to NAT reverse path failure

-------

Could you point me what I did wrong? Config attached.

Thank you.

4 REPLIES 4
Cisco Employee

NAT reverse path failure

Best would be to configure specific interface NAT statement instead of (any,any) as the ip address overlaps with other NAT statements.

Currently you have:

nat (any,any) source static old-snoopy old-snoopy destination static laprise-dns laprise-dns

Please change it to the interface specific:

nat (,outside) source static old-snoopy old-snoopy destination static laprise-dns laprise-dns

Highlighted
Beginner

NAT reverse path failure

Hello Jennifer.

Thank you very much for advice but.

this is ASA2 statement. as for ASA point of view both old-snoopy and laprise-dns are accessible via outside (because they are behind l2l VPN)

in this case what is better to use? any,outside

Please suggest.

Cisco Employee

NAT reverse path failure

Ahh, in that case, just configure the following:

nat (outside,outside) source static old-snoopy old-snoopy destination static laprise-dns laprise-dns

Beginner

NAT reverse path failure

I put outside, outside NAT statement but attempted connect fall again.

-----------

10 (outside) to (outside) source static old-snoopy old-snoopy destination static laprise-dns laprise-dns

    translate_hits = 2, untranslate_hits = 0

------------

I see that my connections from old-snoopy are hiting to ASA2 but ASA2 still get this:

--------

Jun 08 2011 10:16:24: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:snoopy/43670 dst outside:172.28.4.33/53 denied due to NAT reverse path failure

Jennifer what do you think it might be?