Hello Team,
Seeking your help with an issue I've been facing deploying a new ASA5555 FW. We have a server behind the LAN interface which is well reachable over Cisco AnnyConnect profile, that server needs also internet connectivity and here is when the issue comes up; after configuring the NAT to allow internet traffic it is no longer reachable over AnyConnect and what I can see in the logs is a kind of asymmetric NAT.
FW details:
Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.8(2)151
Hardware: ASA5555, 16384 MB RAM, CPU Lynnfield 2793 MHz, 1 CPU (8 cores)
ASA: 8546 MB RAM, 1 CPU (2 cores)
Internal ATA Compact Flash, 8192MB
The server is directly connected on LAN interface
OSLO-ASA01# show arp | in 10.47.20.245
LAN 10.47.20.245 0015.5db3.a9f7 12
ACL to allow traffic from this server over the Internet (WAN Interface)
access-list LAN_access_in extended permit ip host 10.47.20.245 any log
NAT to translate source IP to WAN interface IP for Internet traficc
nat (LAN,WAN) source dynamic 10.47.20.245 interface
As soon as that NAT gets applied the internet is allowed to go over the internet but is lost from the LAN (cisco anyconnect) and I can see below error in the logs
| 5 | Feb 19 2021 | 09:01:44 | 305013 | 10.47.200.1 | LOCAL | 10.47.20.245 | | Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src WAN:10.47.200.1(LOCAL\Jaime.Viera@unit4.com) dst LAN:10.47.20.245 (type 8, code 0) denied due to NAT reverse path failure |
Does someone know what would be the issue? I need to have this server (and many others to come up) reachable over the Cisco AnyConnect but also able to have Internet traffic
I would be able to provide further config details and logs/debug if needed
Thanks in advance for your help
Jaime,
