<

ASA 8.2 to 8.3 or 8.2 to 8.4 nonat migration problem

Published on
17,274 Points
10,174 Views
1 Endorsement
Last Modified:
Approved
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:
    %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows

It was caused by the config upgrade, because that had added the unidirectional keyword to the end of my nonat statement:

Causing problems:
nat (inside,any) source static obj-172.25.179.0 obj-172.25.179.0 destination static obj-192.168.92.0 obj-192.168.92.0 unidirectional

Open in new window


When I removed the unidirectional keyword from the end of the line, the nonat configuation statement is now working.

Working:
no nat (inside,any) source static obj-172.25.179.0 obj-172.25.179.0 destination static obj-192.168.92.0 obj-192.168.92.0 unidirectional

nat (inside,any) source static obj-172.25.179.0 obj-172.25.179.0 destination static obj-192.168.92.0 obj-192.168.92.0 

clear xlate

Open in new window


For more information please refer to:

    Configuring Network Object NAT

If you feel there is a migration problem after hardware upgrade, view the errors with:
hostname# show startup-config errors

Open in new window

And read through this migration guide:
    Cisco ASA 5500 Migration Guide for Version 8.3

In particular, this note from that page appears to apply:
(For Version 8.3(2)) NAT exemption (the nat 0 access-list command) is migrated to a twice NAT rule with the unidirectional keyword. The unidirectional keyword only alows traffic on the source network to initiate connections. Because NAT exemption is normally bidirectional, you might need to remove the unidirectional keyword to restore the original function. This migration change was made because of a caveat in the order of NAT rules: when a static identity twice NAT rule overlaps with a dynamic twice NAT rule, the static rule will be matched no matter where it is placed in the NAT table. The unidirectional keyword prevents the static identity rule from being used for returning traffic that should match the dynamic NAT rule.
1
Comment
1 Comment
 
LVL 34

Author Comment

by:Istvan Kalmar
Thanks, I corrected the link... I published another Article, please enable it!

Best regards,
Istvan
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Join & Write a Comment

Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month