05-18-2013 10:21 AM - edited 03-11-2019 06:45 PM
I'm having issues with an exotic NAT/VPN configuration which results in "Asymmetric NAT rules matched for forward and reverse flows" on outgoing traffic.
Subnets:
outside: 127.16.0.2/30
Inside1: 192.168.1.1/24
Inside2: 192.168.2.1/24
VPN branch office1: 10.1.0.0/16
VPN branch office2: 10.2.0.0/16
I need to represent a branch office ip for each VPN for all outgoing traffic. Traffic coming in from the banch offices are destined to the mapped addresses.
Mapped Server host1: 10.1.10.1/32
Mapped Server host2: 10.2.10.1/32
My inside servers:
Inside Server1: 192.168.1.2
Inside Server2: 192.168.2.2
To make thinks more complicated. Both inside hosts don't have a default route set to this ASA. All traffic on te inside interface detined for the servers have to be coming from the interface IP.
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.16.0.2 255.255.255.252
!
interface Ethernet0/1
nameif inside1
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif inside2
security-level 100
ip address 192.168.2.1 255.255.255.0
!
object network BRANCH_SERVER1_REAL
host 192.168.1.2
object network BRANCH_SERVER2_REAL
host 192.168.2.2
!
object network BRANCH_SERVER1_MAPPED
host 10.1.10.1
object network BRANCH_SERVER2_MAPPED
host 10.2.10.1
!
object network BRANCH1_SUBNET
range 10.1.0.0 10.1.255.255
object network BRANCH2_SUBNET
range 10.2.0.0 10.1.255.255
!
!
access-list CRYPTO_BRANCH1 extended permit host 10.1.10.1 object BRANCH1_SUBNET
access-list CRYPTO_BRANCH2 extended permit host 10.2.10.1 object BRANCH2_SUBNET
!
object network BRANCH_SERVER1_REAL
nat (inside1,outside) static BRANCH_SERVER1_MAPPED
object network BRANCH_SERVER1_MAPPED
nat (outside,inside1) static interface
!
object network BRANCH_SERVER2_REAL
nat (inside2,outside) static BRANCH_SERVER2_MAPPED
object network BRANCH_SERVER2_MAPPED
nat (outside,inside2) static interface
!
Without
object network BRANCH_SERVER1_MAPPED
nat (outside,inside1) static interface
i can send traffic from the server to the branch office subnet. But traffic coming in from the branch is coming in as 10.1.0.0/16 so the server doesn't have a route for the return traffic.
With
object network BRANCH_SERVER1_MAPPED
nat (outside,inside1) static interface
traffic is coming in on the server with the ASA inside1 interface as src but when initiaing traffic from the server to branch1 the ASA shows:
Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src inside1:192.168.1.1 dst outside:10.1.20.31 (type 8, code 0) denied due to NAT reverse path failure
The easy solution would be adding a route for the branch office subnet on the server, set to the ASA interface so i won't need NAT from outside to inside, but unfortunately that won't be possible.
05-18-2013 11:25 AM
Hi,
If you are planning on doing Dynamic PAT to the ASA "inside" interfaces from the Branch Offices networks then you wont be able to initiate connections to the Branch Office. Only the Branch Office can initiate connections since its the network which is PATed towards the "inside".
If you needed to initiate connections in both directions then you would eventually run into the situation that you would have to allocate a mapped address subnet to which you could NAT the Branch Offices and this in turn would mean the same thing as just doing no NAT as you would still had to route the mapped subnet towards the ASA.
To do Dynamic PAT for the Branch Offices while they are connecting to the server site I think the NAT configuration might have to look something like this
object network SERVER-REAL
host x.x.x.x
object network SERVER-MAPPED
host y.y.y.y
object network BRANCH-SITE-1
subnet a.a.a.a b.b.b.b
nat (outside,inside1) source dynamic BRANCH-SITE-1 interface destination static SERVER-MAPPED SERVER-REAL
I have not tested this setup together with L2L VPN so I am not sure how this works with your setup
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide