Forgive me, as I'm not very experienced with ASAs, but I believe what I have configured should be working.
I have an ASA 5510 running version 8.3(2), which is connected to internal, external, and dmz networks, as well as an RA VPN.
Both the Internal and DMZ networks have dynamic NAT configured when going from internal/dmz to the internet. These dynamic NATs both work as expected.
The problem occurs when trying to access the DMZ network from over the VPN.
The error message I get on the ASA states:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:x.x.x.x dst dmz: y.y.y.y (type 8, code 0) denied due to NAT reverse path failure
I figured that the reason this is occurring is because the traffic returning from the DMZ would match the dynamic NAT rule, and be nat'd to the outside interface.
So I put in a static no NAT rule for the DMZ subnet to the VPN:
nat (dmz,outside) source static DMZ_VLAN DMZ_VLAN destination static VPN VPN
But… I'm still receiving the error.
Now, here's where I get even more confused.
After adding that static NAT, my sh nat looks like this:
1 (inside) to (outside) source static any any destination static VPN VPN description VPN No NAT
translate_hits = 3, untranslate_hits = 1198
2 (dmz) to (outside) source static DMZ_VLAN DMZ_VLAN destination static VPN VPN
translate_hits = 0, untranslate_hits = 0
If I move the DMZ to Outside rule above the inside to outside rule, I can access the DMZ, but I can not access the inside from the VPN.
I'm not sure why the order of these rules would make a difference, because if the top rule doesn't match, it should keep flowing down the list..
Any help would be appreciated, although my senses are telling me that I'm just making a stupid mistake somewhere obvious.
EDIT: More info.
Interface security levels:
inside: 100
dmz: 50
outside: 0
NAT rules from show run nat :
nat (inside,outside) source static any any destination static VPN VPN description VPN No NAT
nat (dmz,outside) source static DMZ_VLAN DMZ_VLAN destination static VPN VPN
object network DMZ_VLAN
nat (dmz,outside) dynamic interface
object network In_VLAN
nat (inside,outside) dynamic interface
Access lists should not apply, as I have sysopt connection permit-vpn on, and unless I misunderstand this command, it should enable traffic from the VPN regardless of ACLs.
Also, ICMP traffic is being inspected, so the return traffic should get back without being effected by the access-list (again, unless I misunderstand traffic inspection)
Networks:
Inside: 10.1.4.0/24
DMZ: 10.1.254.0/24
VPN: 10.1.10.0/24
Packet-tracer from DMZ to VPN
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (dmz,outside) source static DMZ_VLAN DMZ_VLAN destination static VPN VPN
Additional Information:
Static translate 10.1.254.1/0 to 10.1.254.1/0
The packet-tracer gets all the way to the end with "Allow's" all the way..
Best Answer
Fixed!
I'm not entirely sure what was going on to cause the problem, but this is what seemed to be happening.
Let's revisit the NAT rules again..
Notice the difference between the two rules which (are supposed to) do the same thing for different interfaces.
The reason the top NAT is wide open like that (
any any) is because there are actually multiple networks that can come from the inside of our network, so we thought leaving it open would be easier than defining every network that could appear.The problem that seems to have been happening, was that when traffic comes in from the VPN, the ASA would look through it's NATs seemingly before it decides what path it will take through the firewall. So it'll check the traffic against the top NAT, and it matches because it's definitely going from VPN to any.. Whereas the return traffic would be from DMZ_VLAN to VPN, and therefore, wouldn't match the top rule.
I'm not sure if matching that first NAT causes the ASA to direct the traffic inside, or if it just realises that the outbound traffic will match a different NAT.
Once I modified the top NAT rule to be more specific:
nat (inside,outside) source static IN_VLANS IN_VLANS destination static VPN VPNEverything works perfectly!
Weird issue.. but it seems the moral of the story is to be specific with everything, even when you don't think it will cause any issues.. because it can.