Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
0
Helpful
3
Replies

Asymmetric NAT rules denied due to NAT reverse path failure

hicklingp23
Level 1
Level 1

‎01-18-2018 02:52 AM - edited ‎03-12-2019 04:55 AM

We have a site to site VPN where all traffic from the remote site is tunneled over the VPN so internet access goes through our ASA (running code 9.1), this traffic hairpins in and out the same (outside) interface.

 

The VPN is up and working fine, I can ping devices on the remote side no problem from an internal device on our side, but when trying to ping the an external IP from a PC on the remote side I'm seeing "Asymmetric NAT rules denied due to NAT reverse path failure" in the logs, so this to me means the traffic is traversing the VPN tunnel but NAT is then getting in the way, the NAT config is;

NoNat Statement for the encryption domain - nat (inside,outside) source static OBJGRP-FOR-VPN OBJGRP-FOR-VPN destination static OBJ-192.168.xxx.xxx_27 OBJ-192.168.xxx.xxx_27 no-proxy-arp route-lookup where OBJGRP-FOR-VPN are all internal IP addresses

 

Dynamic NAT - object network OBJ-NAT_CATCH_ALL
                              nat (any,outside) dynamic 37.xxx.xxx.xxx where OBJ-NAT_Catch_all is subnet 0.0.0.0 0.0.0.0

 

Thanks in advance.

 

Labels:
0 Helpful
3 Replies 3

Bogdan Nita
VIP Alumni
VIP Alumni

‎01-18-2018 06:33 AM

NAT RPF checks that the traffic forwarded using a nat rule will use the same rule when returning.

I am guessing you have another nat rule configured which is causing you problems.

You should check the other rules configured, also you can try to change the nat rules order using the seq number. (by default manual NATs come before the object NAT).

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-technote-nat-00.html#anc8

https://supportforums.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

 

HTH

Bogdan

0 Helpful

hicklingp23
Level 1
Level 1
In response to Bogdan Nita

‎01-19-2018 03:34 AM

Thanks Bogdan, all other auto NAT statements are inside or dmz to outside so don't thinks they'd conflict and there is an outside to outside manual NAT statement but that only NATs the remote access VPN IP pool which is on a different IP range to the remote IP range of the L2L VPN.

 

Any other ideas?

 

Cheers 

 

0 Helpful

hicklingp23
Level 1
Level 1
In response to hicklingp23

‎01-19-2018 03:41 AM

Also when I do a show xlate is see entries for the remote side IP addresses NAT'd to the external IP of the correct (Catch all) NAT statement.

0 Helpful
Customers Also Viewed These Support Documents