Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1166
Views
0
Helpful
4
Replies

NAT reverse path failure

Andriy Sidko
Level 1
Level 1

‎06-06-2011 01:00 PM

Hello.

I have ASA2 established two VPNs

Like 1st net - ASA1 <-> ASA2 <-> ASA3 - second net

ASA1 - 1'st net <--  old-snoopy is here

ASA3 - 2'nd net <-- laprese-dns is here

ASA1,2,3 connected to each otherf by VPN l2l tunnels

I put following nat exemption rules to ASA2 config:

object network laprise-dns

host 172.28.4.33

object network old-snoopy

host 150.150.83.58

nat (any,any) source static old-snoopy old-snoopy destination static laprise-dns laprise-dns

when I'm trying to access from 1st net server 'old-snoopy' to server 'laprise-dns' situated in second net connection fall and I can see followin\g in ASA2 logs:

-------

Jun 06 2011 15:37:57: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:snoopy dst outside:172.28.4.33 (type 8, code 0) denied due to NAT reverse path failure

-------

Could you point me what I did wrong? Config attached.

Thank you.

Labels:
101255-CAQCMT-TD-FW01-nat-question.txt.zip
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-06-2011 07:27 PM

Best would be to configure specific interface NAT statement instead of (any,any) as the ip address overlaps with other NAT statements.

Currently you have:

nat (any,any) source static old-snoopy old-snoopy destination static laprise-dns laprise-dns

Please change it to the interface specific:

nat (,outside) source static old-snoopy old-snoopy destination static laprise-dns laprise-dns

0 Helpful

Andriy Sidko
Level 1
Level 1
In response to Jennifer Halim

‎06-07-2011 07:24 AM

Hello Jennifer.

Thank you very much for advice but.

this is ASA2 statement. as for ASA point of view both old-snoopy and laprise-dns are accessible via outside (because they are behind l2l VPN)

in this case what is better to use? any,outside

Please suggest.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Andriy Sidko

‎06-07-2011 11:04 PM

Ahh, in that case, just configure the following:

nat (outside,outside) source static old-snoopy old-snoopy destination static laprise-dns laprise-dns

0 Helpful

Andriy Sidko
Level 1
Level 1
In response to Jennifer Halim

‎06-08-2011 07:17 AM

I put outside, outside NAT statement but attempted connect fall again.

-----------

10 (outside) to (outside) source static old-snoopy old-snoopy destination static laprise-dns laprise-dns

    translate_hits = 2, untranslate_hits = 0

------------

I see that my connections from old-snoopy are hiting to ASA2 but ASA2 still get this:

--------

Jun 08 2011 10:16:24: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:snoopy/43670 dst outside:172.28.4.33/53 denied due to NAT reverse path failure

Jennifer what do you think it might be?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents