Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2710
Views
0
Helpful
2
Replies

Asymmetric NAT rules matched for forward and reverse flows - NAT Issue

brunellej
Level 1
Level 1

‎11-12-2012 11:02 AM - edited ‎03-11-2019 05:22 PM

Having a problem with a VPN site trying to communicate to a subnet off my ASA 5505.   The network is simple, VPN IPSEC remote site is 192.168.6.0/24 and I can ping and access hosts on 192.168.10.0/24 (called InfraNet).   I am now trying to allow communications between 192.168.6.0/24 (called FD_net) to 192.168.9.0/24 (called Inside)

The Error:

5          Nov 12 2012          13:52:50                    192.168.9.19                                        Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.6.11 dst inside:192.168.9.19 (type 8, code 0) denied due to NAT reverse path failure

I understand this is a NAT issue; but I not seeing the error and could use a second set of eyes.   Here's my current running configuration.

: Saved

:

ASA Version 8.3(2)

!

hostname fw1

domain-name xxxxxxxx.xxx

enable password <removed>

passwd <removed>

names

!

interface Vlan1

description Town Internal Network

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

interface Vlan2

description Public Internet

nameif outside

security-level 0

ip address 173.xxx.xxx.xxx 255.255.255.248

!

interface Vlan3

description DMZ (CaTV)

nameif dmz

security-level 50

ip address 192.168.2.1 255.255.255.0

!

interface Vlan10

description Infrastructure Network

nameif InfraNet

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan13

description Guest Wireless

nameif Wireless-Guest

security-level 25

ip address 192.168.1.1 255.255.255.0

!

interface Vlan23

nameif StateNet

security-level 75

ip address 10.63.198.2 255.255.255.0

!

interface Vlan33

description Police Subnet

shutdown

nameif PDNet

security-level 90

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport trunk allowed vlan 1,5,10,13

switchport trunk native vlan 1

switchport mode trunk

speed 100

duplex full

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport trunk allowed vlan 1,10,13

switchport trunk native vlan 1

switchport mode trunk

!

interface Ethernet0/5

switchport access vlan 23

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

switchport trunk allowed vlan 1

switchport trunk native vlan 1

switchport mode trunk

shutdown

!

banner exec                     Access Restricted to Personnel Only

banner login                     Access Restricted to Personnel Only

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name xxxxxxx.xxx

same-security-traffic permit inter-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object service IMAPoverSSL

service tcp destination eq 993

description IMAP over SSL     

object service POPoverSSL

service tcp destination eq 995

description POP3 over SSL     

object service SMTPwTLS

service tcp destination eq 465

description SMTP with TLS     

object network obj-192.168.9.20

host 192.168.9.20

object network obj-claggett-https

host 192.168.9.20

object network obj-claggett-imap4

host 192.168.9.20

object network obj-claggett-pop3

host 192.168.9.20

object network obj-claggett-smtp

host 192.168.9.20

object network obj-claggett-imapoverssl

host 192.168.9.20

object network obj-claggett-popoverssl

host 192.168.9.20

object network obj-claggett-smtpwTLS

host 192.168.9.20

object network obj-192.168.9.120

host 192.168.9.120

object network obj-192.168.9.119

host 192.168.9.119

object network obj-192.168.9.121

host 192.168.9.121

object network obj-wirelessnet

subnet 192.168.1.0 255.255.255.0

object network WirelessClients

subnet 192.168.1.0 255.255.255.0

object network obj-dmznetwork

subnet 192.168.2.0 255.255.255.0

object network FD_Firewall

host 74.94.142.229

object network FD_Net

subnet 192.168.6.0 255.255.255.0

object network NETWORK_OBJ_192.168.10.0_24

subnet 192.168.10.0 255.255.255.0

object network obj-TownHallNet

subnet 192.168.9.0 255.255.255.0

object network obj_InfraNet

subnet 192.168.10.0 255.255.255.0

object-group service EmailServices

description Normal Email/Exchange Services

service-object object IMAPoverSSL

service-object object POPoverSSL

service-object object SMTPwTLS

service-object tcp destination eq https

service-object tcp destination eq imap4

service-object tcp destination eq pop3

service-object tcp destination eq smtp

object-group service DM_INLINE_SERVICE_1

service-object object IMAPoverSSL

service-object object POPoverSSL

service-object object SMTPwTLS

service-object tcp destination eq pop3

service-object tcp destination eq https

service-object tcp destination eq smtp

object-group service DM_INLINE_SERVICE_2

service-object object IMAPoverSSL

service-object object POPoverSSL

service-object object SMTPwTLS

service-object tcp destination eq https

service-object tcp destination eq pop3

service-object tcp destination eq smtp

object-group network obj_clerkpc

description Clerk's PCs

network-object object obj-192.168.9.119

network-object object obj-192.168.9.120

network-object object obj-192.168.9.121

object-group network TownHall_Nets

network-object 192.168.10.0 255.255.255.0

network-object object obj-TownHallNet

object-group network DM_INLINE_NETWORK_1

network-object 192.168.10.0 255.255.255.0

network-object 192.168.9.0 255.255.255.0

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any interface outside

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.9.20

access-list StateNet_access_in extended permit ip object-group obj_clerkpc any

access-list outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object FD_Net

pager lines 24

logging enable

logging asdm debugging

logging mail errors

logging from-address hostmaster@xxxxxxxxx

logging recipient-address john@xxxxxxxxx level errors

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu Wireless-Guest 1500

mtu StateNet 1500

mtu InfraNet 1500

mtu PDNet 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-635.bin

no asdm history enable

arp timeout 14400

nat (InfraNet,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net

nat (inside,outside) source static TownHall_Nets TownHall_Nets destination static FD_Net FD_Net

!

object network obj_any

nat (inside,outside) static interface

object network obj-claggett-https

nat (inside,outside) static interface service tcp https https

object network obj-claggett-imap4

nat (inside,outside) static interface service tcp imap4 imap4

object network obj-claggett-pop3

nat (inside,outside) static interface service tcp pop3 pop3

object network obj-claggett-smtp

nat (inside,outside) static interface service tcp smtp smtp

object network obj-claggett-imapoverssl

nat (inside,outside) static interface service tcp 993 993

object network obj-claggett-popoverssl

nat (inside,outside) static interface service tcp 995 995

object network obj-claggett-smtpwTLS

nat (inside,outside) static interface service tcp 465 465

object network obj-192.168.9.120

nat (inside,StateNet) static 10.63.198.12

object network obj-192.168.9.119

nat (any,StateNet) static 10.63.198.10

object network obj-192.168.9.121

nat (any,StateNet) static 10.63.198.11

object network obj-wirelessnet

nat (Wireless-Guest,outside) static interface

object network obj-dmznetwork

nat (any,outside) static interface

object network obj_InfraNet

nat (InfraNet,outside) static interface

access-group outside_access_in in interface outside

access-group StateNet_access_in in interface StateNet

route outside 0.0.0.0 0.0.0.0 173.166.117.190 1

route StateNet 10.0.0.0 255.0.0.0 10.63.198.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable 5443

http 192.168.9.0 255.255.255.0 inside

http 74.xxx.xxx.xxx 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer 173.xxx.xxx.xxx

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.9.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.9.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd dns 208.67.222.222 208.67.220.220

dhcpd lease 10800

dhcpd auto_config outside

!

dhcpd address 192.168.2.100-192.168.2.254 dmz

dhcpd dns 8.8.8.8 8.8.4.4 interface dmz

dhcpd enable dmz

!

dhcpd address 192.168.1.100-192.168.1.254 Wireless-Guest

dhcpd enable Wireless-Guest

!

threat-detection basic-threat

threat-detection statistics host number-of-rate 2

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 63.240.161.99 source outside prefer

ntp server 207.171.30.106 source outside prefer

ntp server 70.86.250.6 source outside prefer

webvpn

group-policy FDIPSECTunnel internal

group-policy FDIPSECTunnel attributes

vpn-idle-timeout none

vpn-tunnel-protocol IPSec l2tp-ipsec

username support password <removed> privilege 15

tunnel-group 173.xxx.xxx.xxx type ipsec-l2l

tunnel-group 173.xxx.xxx.xxx general-attributes

default-group-policy FDIPSECTunnel

tunnel-group 173.xxx.xxx.xxx ipsec-attributes

pre-shared-key *****

!

!

smtp-server 192.168.9.20

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:e4dc3cef0de15123f11439822880a2c7

: end

Any ideas would be appreciated.

John

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎11-12-2012 11:34 AM

I don't see any inspection-commands in your config. Is there a reason for not using any of them?
If your problem is only with ICMP, then you should enable at least icmp-inspection. You can do that easiely with the legacy command " fixup protocol icmp"


Sent from Cisco Technical Support iPad App

0 Helpful

brunellej
Level 1
Level 1
In response to Karsten Iwen

‎11-12-2012 12:28 PM

Thanks. Not sure that would cause this issue.   I mean, I can ping across the link with issue between 192.168.10.0/24 and 192.168.6.0/24.   The error only happens when I try to ping 192.168.9.0/24 from the same 192.168.6.0/24 network.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card