11-13-2011 01:12 PM - edited 03-11-2019 02:49 PM
Using 8.2.5
I have a AnyConnect VPN that is not functioning. I'm able to connect but not able to access anything on the LAN
I'm getting the following errrors in ASDM.
5 | Nov 13 2011 | 20:41:05 | 192.168.0.5 | 3389 | Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.0.42/1513 dst inside:192.168.0.5/3389 denied due to NAT reverse path failure |
My sanitized configuration is included
Totally confused with the Nat Transversal issue. I would appreciate some assistance.
SHO ACCESS-L is below
sh access-l
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list inside_nat0_outbound; 1 elements; name hash: 0x467c8ce4
access-list inside_nat0_outbound line 1 extended permit ip 192.168.0.0 255.255.255.0 VPNNet 255.255.255.0 (hitcnt=0) 0x330c9a6d
access-list outside_access; 8 elements; name hash: 0xee117655
access-list outside_access line 1 extended permit tcp any host OutsideDMZWeb eq www (hitcnt=1172) 0xd20993c1
access-list outside_access line 2 extended permit tcp any host OutsideMailServer eq smtp (hitcnt=219) 0x4f13736b
access-list outside_access line 3 extended permit tcp any host OutsideMailServer eq www (hitcnt=1) 0x93c66598
access-list outside_access line 4 extended permit tcp any host OutsideMailServer eq https (hitcnt=253) 0x04017f02
access-list outside_access line 5 extended permit tcp any host OutsideSQL object-group ts 0xe3b6a426
access-list outside_access line 5 extended permit tcp any host OutsideSQL eq 3389 (hitcnt=4) 0x8dc511ee
access-list outside_access line 6 extended permit tcp any host OutsideMailServer object-group ts 0x4b6801cf
access-list outside_access line 6 extended permit tcp any host OutsideMailServer eq 3389 (hitcnt=5) 0x67b35434
access-list outside_access line 7 extended permit tcp any host OutsideDMZWeb object-group ts 0xf2df7313
access-list outside_access line 7 extended permit tcp any host OutsideDMZWeb eq 3389 (hitcnt=244) 0x87a8e911
access-list outside_access line 8 extended permit tcp any host OutsideDMZWeb eq https (hitcnt=0) 0x51043a7b
access-list inside_nat_outbound; 2 elements; name hash: 0xb64b365a
access-list inside_nat_outbound line 1 extended permit ip any VPNNet 255.255.255.0 (hitcnt=0) 0x503e0af3
access-list inside_nat_outbound line 2 extended permit ip 192.168.0.0 255.255.255.0 VPNNet 255.255.255.0 (hitcnt=0) 0x72590365
access-list argen01_splitTunnelAcl; 1 elements; name hash: 0x2895c8be
access-list argen01_splitTunnelAcl line 1 standard permit 192.168.0.0 255.255.255.0 (hitcnt=0) 0xd35fe9fd
sh nat
NAT policies on Interface inside:
match ip inside 192.168.0.0 255.255.255.0 outside VPNNet 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.0.0 255.255.255.0 inside VPNNet 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.0.0 255.255.255.0 dmz VPNNet 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.0.0 255.255.255.0 management VPNNet 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside host InsideMailServer outside any
static translation to OutsideMailServer
translate_hits = 38454, untranslate_hits = 47764
match ip inside host InsideSQL outside any
static translation to OutsideSQL
translate_hits = 93, untranslate_hits = 2982
match ip inside any outside any
dynamic translation to pool 101 (12.12.12.12 [Interface PAT])
translate_hits = 352039, untranslate_hits = 12431
match ip inside any inside any
dynamic translation to pool 101 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any dmz any
dynamic translation to pool 101 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any management any
dynamic translation to pool 101 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any outside any
no translation group, implicit deny
policy_hits = 0
match ip inside any dmz any
no translation group, implicit deny
policy_hits = 0
NAT policies on Interface dmz:
match ip dmz host InsideDMZWeb outside any
static translation to OutsideDMZWeb
translate_hits = 1267, untranslate_hits = 5840
match ip dmz any outside any
dynamic translation to pool 1 (12.12.12.15)
translate_hits = 139, untranslate_hits = 30
match ip dmz any dmz any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip dmz any outside any
no translation group, implicit deny
policy_hits = 0
NAT policies on Interface management:
match ip management any outside any
no translation group, implicit deny
policy_hits = 0
match ip management any dmz any
no translation group, implicit deny
policy_hits = 0
11-14-2011 11:44 AM
Hey,
Just a quick question, 192.168.0.42 and 192.168.0.45 seems to be on the same network (inside), why 192.168.0.42 IP address is coming from the outside?
Normally these error messages are referred as problem with NAT (it enters with the real IP and then going out the packet gets natted).
Let me know.
Mike
11-14-2011 01:10 PM
Looks like the VPN is picking up an ip address from dhcp. Instead of the "ippool"
Sent from my iPad
11-14-2011 01:16 PM
You can check that on the tunnel group, if you have a DHCP server or the pool assign to it. Also, you need to check what method is being used.
sh run all | inc vpn-addr-assign
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide