11-16-2013 04:50 PM - edited 03-11-2019 08:06 PM
Hi,
I'm trying to figure out if this is a cosmetic issue/bug or if there really is a problem. For all broadcasts, I get the aymmetric nat error
For example, AC client logged in with address .1 broadcasts to .255 on port 137
10.245.103.1 137 10.245.103.255 137
5 Nov 16 2013 18:42:02 305013 10.245.103.1 137 10.245.103.255 137 Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.245.103.1/137(LOCAL\username) dst outside:10.245.103.255/137 denied due to NAT reverse path failure
These VPN users are reporting issues with not being able to resolve WINS names. The WINS server is configured under the profile.
Any insight appreciated. Thanks.
Cisco Adaptive Security Appliance Software Version 9.1(2)
Device Manager Version 7.1(3)
11-17-2013 01:19 AM
Are all IPs that are to be sent over the VPN tunnel included in the NAT exempt?
Could you please post a full sanitized running config for the ASA.
--
Please rate all helpful posts
11-17-2013 07:13 AM
Hi,
Thanks for responding. I do have all addresses involved nat exempt.
I now have a TAC case open on this. They have commented they think it is cosmetic possibly a bug, but they have taken a show tech and will get back to me.
I'll post their findings.
11-18-2013 09:18 PM
If you can add a VPN filter that should resolve the problem, I had something similar on an IPSec VPN connection
This was a note that I saw and was made me configure VPN filter.
Use care when using the any keyword in permit entries in dynamic crypto maps. If the traffic covered by such a permit entry could include multicast or broadcast traffic, insert deny entries for the appropriate address range into the access list. Remember to insert deny entries for network and subnet broadcast traffic, and for any other traffic that IPsec should not protect.
11-18-2013 09:19 PM
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ike.html
And I think it is the same
11-19-2013 12:12 AM
I agree with jumora here about using the any keyword.
If at all possible use specific subnets when configuring the crypto ACLs.
11-19-2013 09:02 AM
Did you run with the VPN filter option?
11-16-2016 02:38 AM
Hi
I'm having the same problem.. how did you solved it ?
02-12-2020 03:14 AM - edited 02-12-2020 03:18 AM
I solved a similar issue by creating a nat exempt rule on the outside interface, where the source and destination is the Anyconnect VPN pool.
nat (outside,outside) source static Anyconnect-VPN-FP Anyconnect-VPN-FP destination static Anyconnect-VPN-FP Anyconnect-VPN-FP no-proxy-arp
The issue occurs, because none of your nat rules on the outside interface matches a traffic pattern with the anyconnect pool as source and destination.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide