cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
14308
Views
5
Helpful
5
Replies
Robert Anderson
Beginner

denied due to NAT reverse path failure

I have an ASA5505 (base license, ASDM 7.1(3), ASA 9.(2), and am confused about the "denied due to NAT reverse path failure".

My IP schema is as follows:

INSIDE = 10.0.1.0/24

DMZ =172.16.0.0/24

VPN_Pool = 172.16.20.0/24

PROBLEM: Vpn users can connect to ASA but cannot reach anything on DMZ or LAN. 

TRIAGE: I have ran the packet tracer with the following output:

ALB-ASA# packet-tracer input inside tcp 172.16.20.2 1234 172.16.0.2 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.255.255.0   DMZ

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6415, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

---------------------QUESTION ?

The error received is "...Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:172.16.20.1/52036(LOCAL\user) dst DMZ:172.16.0.2/3389 denied due to NAT reverse path failure."

What NAT rule(s) must I apply to allow users to access resources on LAN/DMZ?

Current NAT is as follows:

1 (DMZ) to (outside) source dynamic DMZ_NET interface
    translate_hits = 1623, untranslate_hits = 34
    Source - Origin: 172.16.0.0/27, Translated: (MY-real-IP-DELETED)/21
2 (inside) to (outside) source dynamic obj_any interface
    translate_hits = 2851, untranslate_hits = 121
    Source - Origin: 0.0.0.0/0, Translated: (MY-real-IP-DELETED)/21

 

THANKS IN ADVANCE FOR HELP!!!

1 ACCEPTED SOLUTION

Accepted Solutions
Marvin Rhoads
Hall of Fame Guru

The address pool for VPN users needs to have a NAT exemption for any DMZ or inside networks they will be using. They appear as outside addresses (even though they are assigned a local private IP address) based on their ingress interface.

As such, without a NAT exemption, return traffic to them is NATted by one of your two NAT rules above (while the incoming traffic was not NATted). Thus the "Asymmetric NAT rules matched for forward and reverse flows" message.

Your packet tracer specified them as inside and thus you got a false positive indication that the traffic would be allowed.

View solution in original post

5 REPLIES 5
Marvin Rhoads
Hall of Fame Guru

The address pool for VPN users needs to have a NAT exemption for any DMZ or inside networks they will be using. They appear as outside addresses (even though they are assigned a local private IP address) based on their ingress interface.

As such, without a NAT exemption, return traffic to them is NATted by one of your two NAT rules above (while the incoming traffic was not NATted). Thus the "Asymmetric NAT rules matched for forward and reverse flows" message.

Your packet tracer specified them as inside and thus you got a false positive indication that the traffic would be allowed.

View solution in original post

Marvin,

  Thank you for getting back to me on this - you were 100% correct!!

I added the following "nat exemption" rules, totally resolved my issues!...

nat (DMZ,outside) source static DMZ_Net DMZ_Net destination static vpnhosts vpnhosts

nat (inside,outside) source static insidenetwork insidenetwork destination static vpnhosts vpnhosts

oh, and as you also noted, I re-ran the packet tracer using "inside" instead of "outside" (from original posting) and verified also the "DROP" before I applied the fix noted here above, you were correct that that was what misguided me in the first place. It works (ALLOWED) after the fix (of course).

 

[...small reminder for other reading this, if you have a base license you cannot attach to both VLAN's (inside and DMZ)...you have to choose which network you intend to attach resources to, or buy a license..so don't be confused if you apply these fixes and can't reach one of them (i.e. INSIDE)...]

 

THANK YOU Marvin !!!!

 

 

Hi.

 

I have the same issue. Can I do except NAT from the ASDM?

 

Thanks !!

NAT exemption is also known as Identity NAT. It can be setup in either cli or ASDM. Here is a link to the latest ASDM configuration guide section documenting how.

I have this same issue. I am having a problem understanding how I would apply in my situation. I have a Mikrotik router doing digital certificates connected to the DMZ interface of a 5525-x ASA. I am trying to get the vpn traffic to go thru the asa and hit the lan (Inside). Traffic is not coming from outside but to dmz interface thru tunnel. I can ping all the way thru tunnel to DMZ interface of asa and get a response but nothing beyond and vice versa. See attached sanitized config.


Content for Community-Ad