ASA 8.2 to 8.3 or 8.2 to 8.4 nonat migration problem
Published:
Browse All Articles > ASA 8.2 to 8.3 or 8.2 to 8.4 nonat migration problem
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing! The log showed the following error:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows
It was caused by the config upgrade, because that had added the unidirectional keyword to the end of my nonat statement:
Causing problems:
When I removed the unidirectional keyword from the end of the line, the nonat configuation statement is now working.
Working:
For more information please refer to:
Configuring Network Object NAT
If you feel there is a migration problem after hardware upgrade, view the errors with:
Cisco ASA 5500 Migration Guide for Version 8.3
In particular, this note from that page appears to apply:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows
It was caused by the config upgrade, because that had added the unidirectional keyword to the end of my nonat statement:
Causing problems:
nat (inside,any) source static obj-172.25.179.0 obj-172.25.179.0 destination static obj-192.168.92.0 obj-192.168.92.0 unidirectionalWhen I removed the unidirectional keyword from the end of the line, the nonat configuation statement is now working.
Working:
no nat (inside,any) source static obj-172.25.179.0 obj-172.25.179.0 destination static obj-192.168.92.0 obj-192.168.92.0 unidirectional
nat (inside,any) source static obj-172.25.179.0 obj-172.25.179.0 destination static obj-192.168.92.0 obj-192.168.92.0
clear xlateFor more information please refer to:
Configuring Network Object NAT
If you feel there is a migration problem after hardware upgrade, view the errors with:
hostname# show startup-config errorsCisco ASA 5500 Migration Guide for Version 8.3
In particular, this note from that page appears to apply:
(For Version 8.3(2)) NAT exemption (the nat 0 access-list command) is migrated to a twice NAT rule with the unidirectional keyword. The unidirectional keyword only alows traffic on the source network to initiate connections. Because NAT exemption is normally bidirectional, you might need to remove the unidirectional keyword to restore the original function. This migration change was made because of a caveat in the order of NAT rules: when a static identity twice NAT rule overlaps with a dynamic twice NAT rule, the static rule will be matched no matter where it is placed in the NAT table. The unidirectional keyword prevents the static identity rule from being used for returning traffic that should match the dynamic NAT rule.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (1)
Author
Commented:Best regards,
Istvan