Solved: denied due to NAT reverse path failure

Robert Anderson · ‎06-13-2014

I have an ASA5505 (base license, ASDM 7.1(3), ASA 9.(2), and am confused about the "denied due to NAT reverse path failure".

My IP schema is as follows:

INSIDE = 10.0.1.0/24

DMZ =172.16.0.0/24

VPN_Pool = 172.16.20.0/24

PROBLEM: Vpn users can connect to ASA but cannot reach anything on DMZ or LAN.

TRIAGE: I have ran the packet tracer with the following output:

ALB-ASA# packet-tracer input inside tcp 172.16.20.2 1234 172.16.0.2 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.255.255.0 DMZ

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6415, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

---------------------QUESTION ?

The error received is "...Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:172.16.20.1/52036(LOCAL\user) dst DMZ:172.16.0.2/3389 denied due to NAT reverse path failure."

What NAT rule(s) must I apply to allow users to access resources on LAN/DMZ?

Current NAT is as follows:

1 (DMZ) to (outside) source dynamic DMZ_NET interface
translate_hits = 1623, untranslate_hits = 34
Source - Origin: 172.16.0.0/27, Translated: (MY-real-IP-DELETED)/21
2 (inside) to (outside) source dynamic obj_any interface
translate_hits = 2851, untranslate_hits = 121
Source - Origin: 0.0.0.0/0, Translated: (MY-real-IP-DELETED)/21

THANKS IN ADVANCE FOR HELP!!!

Marvin Rhoads · ‎06-13-2014

The address pool for VPN users needs to have a NAT exemption for any DMZ or inside networks they will be using. They appear as outside addresses (even though they are assigned a local private IP address) based on their ingress interface.

As such, without a NAT exemption, return traffic to them is NATted by one of your two NAT rules above (while the incoming traffic was not NATted). Thus the "Asymmetric NAT rules matched for forward and reverse flows" message.

Your packet tracer specified them as inside and thus you got a false positive indication that the traffic would be allowed.

View solution in original post

Marvin Rhoads · ‎06-13-2014

The address pool for VPN users needs to have a NAT exemption for any DMZ or inside networks they will be using. They appear as outside addresses (even though they are assigned a local private IP address) based on their ingress interface.

As such, without a NAT exemption, return traffic to them is NATted by one of your two NAT rules above (while the incoming traffic was not NATted). Thus the "Asymmetric NAT rules matched for forward and reverse flows" message.

Your packet tracer specified them as inside and thus you got a false positive indication that the traffic would be allowed.

Robert Anderson · ‎06-13-2014

Marvin,

Thank you for getting back to me on this - you were 100% correct!!

I added the following "nat exemption" rules, totally resolved my issues!...

nat (DMZ,outside) source static DMZ_Net DMZ_Net destination static vpnhosts vpnhosts

nat (inside,outside) source static insidenetwork insidenetwork destination static vpnhosts vpnhosts

oh, and as you also noted, I re-ran the packet tracer using "inside" instead of "outside" (from original posting) and verified also the "DROP" before I applied the fix noted here above, you were correct that that was what misguided me in the first place. It works (ALLOWED) after the fix (of course).

[...small reminder for other reading this, if you have a base license you cannot attach to both VLAN's (inside and DMZ)...you have to choose which network you intend to attach resources to, or buy a license..so don't be confused if you apply these fixes and can't reach one of them (i.e. INSIDE)...]

THANK YOU Marvin !!!!

fermin.barros.riveira · ‎09-22-2015

Hi.

I have the same issue. Can I do except NAT from the ASDM?

Thanks !!

Marvin Rhoads · ‎09-22-2015

NAT exemption is also known as Identity NAT. It can be setup in either cli or ASDM. Here is a link to the latest ASDM configuration guide section documenting how.

Gerard Roy · ‎06-22-2020

I have this same issue. I am having a problem understanding how I would apply in my situation. I have a Mikrotik router doing digital certificates connected to the DMZ interface of a 5525-x ASA. I am trying to get the vpn traffic to go thru the asa and hit the lan (Inside). Traffic is not coming from outside but to dmz interface thru tunnel. I can ping all the way thru tunnel to DMZ interface of asa and get a response but nothing beyond and vice versa. See attached sanitized config.

anazpakkir · ‎06-09-2021

this link isnt works