Cisco ASA 9.1 Asymmetric NAT Rules – Forward and Reverse Flows

cisco-asanat;

Can someone explain why the first NAT config below gives me an "asymmetric NAT rules" (RPF) error for the connection to "VPN1" while the second (no "any" in the Manual NAT) makes the automatic NAT actually work?

Automatic NAT (section 2) not working ("asymmetric NAT"):

nat (Transit,Internet) source dynamic FW1 interface
!
object network FW1
 host 172.1.2.3
object network VPN1
 nat (Main,Internet) static interface service udp 1194 1195 
!
...

This seems to work ok: (explicit destination set for manual NAT in section 1)

nat (Transit,Internet) source dynamic FW1 interface destination static DM_INLINE_NETWORK_51 DM_INLINE_NETWORK_51
!
object network FW1
 host 172.1.2.3
object network VPN1
 nat (Main,Internet) static interface service udp 1194 1195 
!
...

Why does this make a difference for the NAT of VPN1? I don't get it. There are different (source) interfaces involved, different source addresses obviously, so why would one prevent the other from working?

Best Answer

The difference between your two Manual NAT statements is one of them also looks for a match on the destination (or source on return or outside-originated traffic).

If you convert your NAT statements to 'layman' explanation, it will make more sense.

For example:

nat (Transit,Internet) source dynamic FW1 interface

When the ASA finds traffic on the Transit interface that matches a source of FW1, send it to the Internet interface and change the source dynamically to the interface IP of the Internet interface.

nat (Transit,Internet) source dynamic FW1 interface destination static DM_INLINE_NETWORK_51 DM_INLINE_NETWORK_51

When the ASA finds traffic on the Transit interface that matches a source of FW1 and a destination of DM_INLINE_NETWORK_51, send it to the Internet interface and change the source dynamically to the interface IP of the Internet interface and change the destination statically to DM_INLINE_NETWORK_51.

The difference is crucial:

The second NAT statement only matches when FW1 is speaking to DM_INLINE_NETWORK_51. The first NAT statement matches any time FW1 is speaking.

As a result, all your inbound traffic (ie: crossing interfaces Internet to Transit) will have return traffic that matches your first NAT statement. Hence, the NAT is asymmetric -- the configuration treats the traffic coming inbound differently than it does on its way out (in so far as NAT).

Remember, this is a Dynamic NAT (also known as a PAT), which by definition can only be unidirectional. Traffic will flow from inside to outside (or Transit to Internet) but not the other way around.

Related Topic