Cisco Firewall :: 5510 Asymmetric NAT Rules Matched For Forward And Reverse Flows
Jul 29, 2012
I am seeing the following error on my Cisco ASA 5510 running 8.4(4):Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside:10.1.0.8/1798 dst inside:10.1.0.14/25 denied due to NAT reverse path failure .Doing research I see there are plenty of nonat statements regarding connecting from one interface to another, but why am I seeing this error on the same interface.All our servers are connected via a Cisco 3750G switch with a very basic config. Why is the firewall interjecting itself and causing these issues?
View 8 Replies
ADVERTISEMENT
May 6, 2013
I am new to ASA's and have just configured my 5505 out the box with an outside (10.10.1.7) + inside (192.168.1.1) IP & NAT. The ASA has got a default route to another router (default geteway) thats connected to the internet. I have it connected this way so I can play and **** around with the ASA. My problem is when I try and ping a host on the ASA inside network (192.168.1.0/24) from the outside (10.10.1.0/24) I'm getting the following error: 5May 07 201316:38:36305013192.168.1.6Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.10.1.22 dst inside:192.168.1.6 (type 8, code 0) denied due to NAT reverse path failure The recommendation from the syslog details is:"When not on the same interface as the host using NAT, use the mapped address instead of the actual address to connect to the host. In addition, enable the inspect command if the application embeds the IP address". Beliw is my config:
interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0!interface Vlan2nameif outsidesecurity-level 0ip address 10.10.1.7 255.255.255.0!boot system disk0:/asa842-k8.binftp mode passiveclock timezone EST -5clock summer-time EDT recurringdns domain-lookup insidedns domain-lookup outsidedns server-group DefaultDNSname-server 10.10.1.1object network obj_anysubnet 0.0.0.0 0.0.0.0object network obj_net_Insidesubnet 192.168.1.0 255.255.255.0object network Outside_globalhost 10.10.1.6access-list outside_access_in extended permit icmp any any echo-replyaccess-list outside_access_in extended permit icmp any any source-quenchaccess-list outside_access_in extended permit icmp any any unreachableaccess-list outside_access_in extended permit icmp any any time-exceededaccess-list
[code]....
View 8 Replies
View Related
Nov 11, 2012
Having a problem with a VPN site trying to communicate to a subnet off my ASA 5505. The network is simple, VPN IPSEC remote site is 192.168.6.0/24 and I can ping and access hosts on 192.168.10.0/24 (called InfraNet). I am now trying to allow communications between 192.168.6.0/24 (called FD_net) to 192.168.9.0/24 (called Inside) [code]
View 2 Replies
View Related
Sep 13, 2010
I have a problem with a Site-to Site VPN connection between two ASA 5505 (ASA 8.2, ASDM 6.2). I have build the configuration on both devices [URL] . Under "Specifying Hosts and Networks / Remote Network" i use not the external ip of remote Site, i use the internal networks ( 10.0.1.0 and 10.0.2.0 ). I need connetion to two remote internal networks ( from 10.0.0.0 to 10.0.1.0 and 10.0.2.0 ). The Tunnel (Phase1 and Phase 2) comes up when i ping a host of the second (10.0.2.x) remote network, but a ping is not possible. Syslog says "Asymmetric NAT rules matched for forward and reverseflows; Connection for icmp src outside: 10.0.0.x dst dmz:10.0.1.x (type8, code 0) denied due to NAT reverse path failure ". On both Sites VPN connections with Cisco VPN Clients are possible.
View 5 Replies
View Related
Jul 4, 2012
I am trying to lock down the VPN access on my Cisco 5520 ASA's whereby I wish not to allow users to SSH access etc on servers running on the same interface that they are VPNing into.
I did not originally configure the ASA and so I am slightly confused by some config on it. Currently when I attempt to PING a server within the same interface as the VPN network I get the following error in the logs below.
5 Jul 05 2012 09:45:15 305013 monitoringsystem Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src dmzAHdata:VPN IP dst AHdata:monitoringsystem (type 8, code 0) denied due to NAT reverse path failure
As a workaround I created a NAT exempt rule which then allowed traffic to the server in question however I wish to limit the traffic to only ICMP and when I do this in the firewall it does not take affect. Is this because of the NAT exempt rule?
View 1 Replies
View Related
Nov 30, 2011
I have an ASA 5510 running version 7.0. I have a problem with an exchange server using a static map and its outbounc connectivity. It connects outbound through the global address even though inbound connectivity works fine through the static mapping. The recent changes are changing of the zero route through a different interface (there are to circuit connected to this ASA on different interfaces). So the idea was to get all workstations in the office using the global address and routing out through one circuit, and the servers connecting in/out through the other circuit. Shouldn't a static mapping ignore what the zero route is?
Here are what I believe to be the relevant configs.
interface Ethernet0/0
description New 6mb circuit
speed 100
[Code]....
So exchang2 server can be connected to from the outside properly via IP xxx.207.51.231/exchange2-outside, but all outbound connections from this server are going out via IP xxx.122.47.218/circuit-6mb as do all the workstations due to the global address statement.
View 2 Replies
View Related
Jan 24, 2012
I have the need to do an outbound NAT redirection. So what I mean is this. I have a custom program that uses SSH to port 22 from a server inside the ASA firewall. This goes out to a server on the Internet over port 22. The ISP of the SSH server told me that they changed their SSH port from 22 to 2102. So instead of changing the custom code on the developed application on the server... I thought it would be easier to do a OUTBOUND NAT redirection for the ASA to see port 22 from the server and redirect it OUTBOUND to port 2102.
so for example:
The server is at 192.168.0.2 and it uses a program to initiate SSH traffic to 205.246.1.1. The server sends to port 22 but I need it automatically changed on the firewall to port 2201 at 205.246.1.1.
It is a Cisco ASA 5510. The server at 192.168.0.2 does have a fixed IP address on the outside with INBOUND NAT for things like port 25 (mail) traffic etc. Lets pretend that was at 64.18.23.60.
View 1 Replies
View Related
Aug 13, 2012
When i create a rule and enable icmp in ASA inside to outside direction to testing purpose, but I can't ping outside address ,
access-list ICMP extended permit icmp any any
access-group ICMP in interface inside
LOGG:::
ping 8.8.8.8
%ASA-3-106014: Deny inbound icmp src outside:122.255.3.1 dst inside:202.124.160.1 (type 0, code 0)
%ASA-3-106014: Deny inbound icmp src outside:122.255.3.1 dst inside:202.124.160.1 (type 0, code 0)
then I have permitted icmp for return path then it works, configs and logs are followed,
access-list ICMP extended permit icmp any any
access-group ICMP in interface outside
LOGG:::
ping 8.8.8.8
%ASA-6-302020: Built inbound ICMP connection for faddr 122.255.3.1/0 gaddr 202.124.160.1/14 laddr 192.168.1.1/14
%ASA-6-302021: Teardown ICMP connection for faddr 122.255.3.1/0 gaddr 202.124.160.1/14 laddr 192.168.1.1/14
View 1 Replies
View Related
Feb 9, 2012
I have a rule which permits traffic to a web server and logging is enabled. But when I go to syslog I am only seeing traffic which has been denied. What needs to change to be able to see the logged traffic on permit rules?
View 1 Replies
View Related
Dec 20, 2012
I have an ASA 5510 deployed and we are getting a tonne of port scanning traffic (who isn't these days) and ping traffic.The threat scanning thresholds seem a bit too high and was wondering if there is a way to use a Service Policy Rule to perform a Shun/Block of the hosts rather than the firewall simply blocking the request via the ACL and sending a reply.
In other words, if I do nothing, I know the ACL is protecting the resources but it is still replying to the client connection. I want the end result to be the same as a "Shun" where the connection is dropped and no reply is sent. how to employ Service Policy Rules to thwart Port Scanning and/or IP Spoofing?
View 2 Replies
View Related
Oct 11, 2011
i´m trying to make a traditional port forward (http to http) on our new asa5510. Previous releases off 5505 and software prior 8.3 was no problem. Could someone tell me how do it in new 8.4 version? I ám a rookie on the new ASA series!
If nothing makes sense in this configuration please give example on how to do it correct. The object on the inside is SRV02 wich is running a webserver on port 80. So i want to open upp for http on outside interface and forward that traffic to srv02 (inside webserver)
View 16 Replies
View Related
Sep 8, 2010
Successfully creating a port-forward in ASA5510, ASA version 8.3(1) ASDM6.3(1)?I have spend hours now trying, but I'm still unsuccessful.What I want is a simple: "if this particular ip-adress hits the wan interface on this tcp-port redirect to this inside ip-address on this tcp-port.I have never had any trouble on any other firewall creating something like this, but the ASA is killing me.
View 10 Replies
View Related
Dec 27, 2011
I have one public IP address but multiple local servers that run on the same port. I cannot change the port the clients use to connect to this server, so I can't do a port map in my NAT router. The solution I had in mind, is to filter on source address. If a client from public IP X.X.X.X connects to port Z, I want it to go to internal server 10.10.10.10 and if a client from public IP Y.Y.Y.Y connects to port Z, I want it to go to internal server 10.20.20.20. Is this possible? I'm using an ASA5510 but I could also switch to a 5505 for this.
View 3 Replies
View Related
Mar 14, 2012
over my port forward GUI in my new linksys x3000. When I try to save any new port forward rules (new or using predefined), the setting are not saved when I get back to the configuration screen again. Nothing seems to get configured.
Have just uppgraded firmware to v1.0.01, but no difference.
View 2 Replies
View Related
Jun 7, 2013
We have several L2L tunnels with remote networks that access networks inside. I am using object-groups to define the networks, then using the same object-groups in the twice-nat so the networks are accessible. For example:
Remote Network - 192.168.1.0/24 defined as object "RemoteA"
Inside Subnet - 10.1.1.0/24 defined as object "LocalA"
object-group network RemoteVPN
network-object object RemoteA
network-object object RemoteB
etc....etc..
[code]....
I receive the "Asymmetric NAT rules matched for forwared and reverse flows" error, inidcating Source of "RemoteA" IP and destination of "LocalA" IP. Typically this indicates a missing twice-nat; however they are in the object-groups that are a part of the twice-nat specified above. The only way I have been able to clear the errors is to create a new twice-nat using the individual subnet objects. If I do a "show nat object-group LocalVLANS detail", all the subnets are displayed accordingly.
I have many twice-nat statements using object-groups, and working for over a year now. I only started recently having issues with this error; and am concerned it is related to some cap on using object-groups in twice-nat.
View 10 Replies
View Related
Apr 28, 2011
Connection denied due to NAT reverse path failure
View 2 Replies
View Related
May 26, 2011
Do you know if it is possible to filter TOIP flows between call server (Siemens technology) and phones ?Specialy, PIX is able to support dynamic ports opening?? Is there an ALG embeded?Is it required to upgrade PIX or not? is required a special licence??
View 1 Replies
View Related
Feb 10, 2013
I have 2 data centers conencted via WAN and each has their own Internet conenction. One of the site's Internet is close to maximum bandwidth and we want to use the second site's Internet for future connections. The problem is the core switches in each site has a default rout to their local firewalls, so even if I can NAT on the firewall, the return traffic goes out whichever firewall is local and will fail.
So, my plan is to change the source IP address of the packets to be an address on the inside interface's LAN subnet. That way it is routed back to the proper firewall. I am able to do this with the following code, but this code only works with a static one to one NAT. I am limited in public IP addresses, so I want to NAT on a per port basis. Each time I try to change the any any to a specific port, it fails.
object network host-inside-int
host 10.1.52.172
object network host-outside-nat1
[Code].....
View 5 Replies
View Related
Jul 29, 2012
I am currently trying to apply a reverse NAT on asa 8.2 and not sure how to do this. I have done this on asdm 6.2 for asa 8.3 but the options are not simiar on 8.2. Is there a CLI equivelant?
I am trying to Achieve the object below for any traffic coming from outside interface to the inside interface with any source address to destination 10.X.X.58 then translate it so that it become 192.X.X.X to address 192.X.X.58. This is so that communications can traverse internal network as the server is not ona DMZ.
I have done this on 8.3 (shown below) but do not know if it is possible for 8.2, I have tried replicating the same command on 8.2 but commands are not recognised.
nat (outside,any) source static any 192.X.X.X destination static 10.X.X.X 192.X.X.58
Should I just upgrade to 8.3? never done it before so not sure of the consequences.
View 3 Replies
View Related
Dec 22, 2012
After upgrade to 9.0.1 from 8.4 I have problems with reverse dns resolving, like this:
named[2679]: DNS format error from 193.0.9.1#53 resolving 82.64/27.195.26.72.in-addr.arpa/PTR for client 127.0.0.1#37124: question section mismatch: got 90.64.195.26.in-addr.arpa/IN/PTR
Only solution I found is to disable inspect dns, which is not very good.
View 2 Replies
View Related
Jun 15, 2012
ASA running 8.2(5).When I enable ip spoofing on my network interfaces I see this getting logged:
Deny UDP reverse path check from 10.100.100.102 to 10.100.100.255 on interface SPECTRA-LAN
This is because interface SPECTRA-LAN (VLAN50) is the interface connected to the network with ip 10.100.100.0/24 but the interface do not have a ip address so it does not exist in the routing table I believe?However interface INTERN do also belong to network 10.100.100.0/24 which also is the management interface and the default route for hosts in network 10.100.100.0/24, but has no vlan.
1. move the management0/0 to SPECTRA-LAN and give SPECTRA-LAN ip 10.100.100.1?
2. give SPECTRA-LAN a ip address in the 10.100.100.0 range?
My routing table and interface list is:
Current available interface(s):
DATA-BACKUP Name of interface Redundant1.10
DMZ Name of interface Redundant1.900
GUEST Name of interface Redundant1.990
HOSTING Name of interface Redundant1.100
Infrastruktur Name of interface Redundant1.20
[code]....
View 3 Replies
View Related
Jun 15, 2011
I've got a 5520 running 8.4(1).I've setup a simple NAT: [code] Running wireshark on the outside of the ASA, I can see the packets going out fine (the source address has been translated). I can see the replies coming in from the 'net. But the replies don't get through the ASA to the internal host.What do I need to do to allow the reverse packets to get through the ASA back to the host ?
View 3 Replies
View Related
May 16, 2013
We have a singe IP Address in the Internet and want to forward SMTP traffic that hits our ASA Outside Interace to the internal Mailserver.And we like to forward Http Traffic to our Webserver.
Example.
212.23.23.23 Port 25 -> 192.168.1.100 Port 25
212.23.23.23 Port 80 -> 192 168.1.200 Port 80
How do i acomplish that. Which NAT rules do in need?
View 12 Replies
View Related
Jul 2, 2012
After upgrading an ASA5520 from 8.4(1) to 8.4(4.1) I ran into the following trouble:
Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.149.21/53 dst inside:192.168.37.123/53 [code].....
All the subnets mentioned above are connected via VPN.
View 6 Replies
View Related
May 4, 2011
ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.13.50 dst DMZ2:192.168.13.15 (type 8, code 0) denied due to NAT reverse path failure
Cant seem to get around this one yet. I have a remote ASA that I can VPN into. It has 2 dmz's, outside and inside interface configured.
Inside subnet is 192.168.11.0 / 24
DMZ2 is 192.168.13.0 / 24
VPN client pool is 192.168.15.0 /24
I login in fine. But have no access to the DMZ2 subnet. I get the failure listed above.
View 1 Replies
View Related
Jul 2, 2012
I need to forward traffic from an Amazon server to an internal server with a SQL database on it so need to forward TCP 1433 to an internal IP (192.168.252.43) I have created an access rule to allow the amazon IPP through on 1433 but I am unsure how to point the traffic to the SQL server on the LAN.
I expect I will need to create a NAT rule to do this but cannot see how to achieve it.
I have another problem concerning a site to site VPN which establishes OK but does not pass traffic, I will post that question separately.
View 2 Replies
View Related
Mar 21, 2012
i have a cisco 837.I need hardening the access and firewall rules. I dont understand ip inspect.
View 1 Replies
View Related
Jul 5, 2012
I am configuring a 2921 with enhanced security using the CCP. I have found a behavior that seems strange to me and I'm not sure if I'm misunderstanding something or missing a setting. It seems that if I create a firewall rule to "allow" traffic through, that traffic gets dropped, but if I set the action to "Inspect", the traffic comes through fine. I can actually reproduce this at will by setting up a rule from out-zone to self to allow traffic and I cannot telnet into it from an external ip, but if I change that rule to "inspect" i can connect fine (i dont want that rule set up permanently, was just using it to test the firewall).
If I set the allow rule to log, I see the following line in the application security log:
(target:class)-(ccp-zp-out-self:user-fw-ccp) Passing telnet pkt 1.1.1.1:58141 => 2.2.2.2:23 with ip ident 0
(where 1.1.1.1 is the external laptop and 2.2.2.2 is my WAN IP address of the 2921)
So it looks to be passing the traffic, but that traffic is getting dropped somewhere because the connection is unsuccessful.
Is this the expected behavior of "Allow" action? Is there something I can do to make sure "allow" traffic actually gets through?
View 1 Replies
View Related
Mar 3, 2012
I have added an ASA 5510 to my network between the Internet and a Windows 2008R2 server running ForeFront TMG. Before the ASA was added, vpn clients using Microsoft Windows 7 vpn client using L2TP/IPsec connected to our vpn. After ASA was added, clients can no longer connect. I would like to know how to configure the ASA to forward the vpn requests to the ForeFront TMG server for authentication and access to internal network resources. Mail is forwarded appropriately through the ASA to internal mail server and Internet access for LAN users works just fine.
Topology:
ASA 5510 (outside interface is ISP IP address, inside interface is 192.168.1.1)................Forefront TMG (outside nic 192.168.1.2, inside nic is LAN gateway IP address).
I have altered the registry key of the client vpn pc's per Microsoft Technet URL
View 1 Replies
View Related
Mar 25, 2011
I have a Pix 515, and a question about firewall rules/access lists.I have recently created a new VPN group, and IP Pool.I created a firewall rule that grants access via TCP to a specific IP address from this firewall. However, when I test the VPN from outside the company, I find I can get to whatever server I want to. There is no allow any/any. I do not think there is any other rule before it or after it that would give that kind of access as most of our rules are for specific IP's and protocols.
The only thing I could think of is that we are using the account management in the firewall to authenticate the users. I am giving the VPN users level 3 access.I will probably not post my config as it is my firewall config, and it would be against company policy.
View 3 Replies
View Related
Dec 5, 2011
Is it possible to provision 3 different public IP addresses to the same DMZ IP (Web server) on an ASA running ver 8.2(4)? Unfortunately, the way the server was provisioned Static or Dynamic PAT will not work. I have read that ver 8.3 and up supports natively one-to-many NAT translations, but at this point the client is not ready for an upgrade. Is there anything else I could do to overcome this challenge?
Outside --------> DMZ
200.1.1.1------> 10.1.1.1
200.1.1.2------> 10.1.1.1
200.1.1.3------> 10.1.1.1
View 16 Replies
View Related
Jun 24, 2011
I'm having some troubles with NAT, packets does not match nat rule (that i think it should) and is not choosing the right egress interface. So crypto map never starts
this is the relevant config:
interface Port-channel2.4
description Public TESA ADSL internet connection
vlan 7
[Code].....
View 7 Replies
View Related
May 17, 2012
Boss wants a listing of the firewall rules only. What's a command I can run that will give me a listing of this?If I can get an output of firewall rules only, via GUI, that'll work too. It just needs to end up with a printout on a piece of paper telling me what the firewall is doing.
View 17 Replies
View Related
