Double NAT needed. Asymmetric NAT rules matched

Fabian L · ‎05-18-2013

I'm having issues with an exotic NAT/VPN configuration which results in "Asymmetric NAT rules matched for forward and reverse flows" on outgoing traffic.

Subnets:

outside: 127.16.0.2/30

Inside1: 192.168.1.1/24

Inside2: 192.168.2.1/24

VPN branch office1: 10.1.0.0/16

VPN branch office2: 10.2.0.0/16

I need to represent a branch office ip for each VPN for all outgoing traffic. Traffic coming in from the banch offices are destined to the mapped addresses.

Mapped Server host1: 10.1.10.1/32

Mapped Server host2: 10.2.10.1/32

My inside servers:

Inside Server1: 192.168.1.2

Inside Server2: 192.168.2.2

To make thinks more complicated. Both inside hosts don't have a default route set to this ASA. All traffic on te inside interface detined for the servers have to be coming from the interface IP.

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 172.16.0.2 255.255.255.252

!

interface Ethernet0/1

nameif inside1

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

nameif inside2

security-level 100

ip address 192.168.2.1 255.255.255.0

!

object network BRANCH_SERVER1_REAL

host 192.168.1.2

object network BRANCH_SERVER2_REAL

host 192.168.2.2

!

object network BRANCH_SERVER1_MAPPED

host 10.1.10.1

object network BRANCH_SERVER2_MAPPED

host 10.2.10.1

!

object network BRANCH1_SUBNET

range 10.1.0.0 10.1.255.255

object network BRANCH2_SUBNET

range 10.2.0.0 10.1.255.255

!

access-list CRYPTO_BRANCH1 extended permit host 10.1.10.1 object BRANCH1_SUBNET

access-list CRYPTO_BRANCH2 extended permit host 10.2.10.1 object BRANCH2_SUBNET

!

object network BRANCH_SERVER1_REAL

nat (inside1,outside) static BRANCH_SERVER1_MAPPED

object network BRANCH_SERVER1_MAPPED

nat (outside,inside1) static interface

!

object network BRANCH_SERVER2_REAL

nat (inside2,outside) static BRANCH_SERVER2_MAPPED

object network BRANCH_SERVER2_MAPPED

nat (outside,inside2) static interface

!

Without

object network BRANCH_SERVER1_MAPPED

nat (outside,inside1) static interface

i can send traffic from the server to the branch office subnet. But traffic coming in from the branch is coming in as 10.1.0.0/16 so the server doesn't have a route for the return traffic.

With

object network BRANCH_SERVER1_MAPPED

nat (outside,inside1) static interface

traffic is coming in on the server with the ASA inside1 interface as src but when initiaing traffic from the server to branch1 the ASA shows:

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src inside1:192.168.1.1 dst outside:10.1.20.31 (type 8, code 0) denied due to NAT reverse path failure

The easy solution would be adding a route for the branch office subnet on the server, set to the ASA interface so i won't need NAT from outside to inside, but unfortunately that won't be possible.

Jouni Forss · ‎05-18-2013

Hi,

If you are planning on doing Dynamic PAT to the ASA "inside" interfaces from the Branch Offices networks then you wont be able to initiate connections to the Branch Office. Only the Branch Office can initiate connections since its the network which is PATed towards the "inside".

If you needed to initiate connections in both directions then you would eventually run into the situation that you would have to allocate a mapped address subnet to which you could NAT the Branch Offices and this in turn would mean the same thing as just doing no NAT as you would still had to route the mapped subnet towards the ASA.

To do Dynamic PAT for the Branch Offices while they are connecting to the server site I think the NAT configuration might have to look something like this

object network SERVER-REAL

host x.x.x.x

object network SERVER-MAPPED

host y.y.y.y

object network BRANCH-SITE-1

subnet a.a.a.a b.b.b.b

nat (outside,inside1) source dynamic BRANCH-SITE-1 interface destination static SERVER-MAPPED SERVER-REAL

I have not tested this setup together with L2L VPN so I am not sure how this works with your setup

- Jouni