Hi I'm trying to write some NAT rules for my VPN Connections (y.y.y.y) through my Outside interface (x.x.x.x)
to be able to get full access to my internal network (z.z.z.z)
I thought i had the proper NAT going but maybe it's my access rule that doesnt work? I've setup a secured-route to my internal network (z.z.z.z) using the split tunneling for my AnyConnect client (over SSL).
My logs are showing
Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside: y.y.y.y dst inside: z.z.z.z denied due to NAT reverse path failure
I've read about Exemption Rules for NATing but what i tried didnt work.
Unfortunately i'm only familiar with the ASDM interface...
My NAT rule (relating to the VPN) looks like this:
|#||Source Intf||Dest Intf||Source||Destination||Service||Source||Destination||Service||Options|
|1||outside||inside||y.y.y.y/24||z.z.z.z/24||any||-- Original --||-- Original --||-- Original --||No Proxy ARP,Route Lookup|
|2||inside||any||z.z.z.z/24||y.y.y.y/24||any||-- Original --||-- Original --||-- Original --||No Proxy ARP,Route Lookup|
|14||inside||outside||0.0.0.0/0||any||any||0.0.0.0/0||-- Original --||-- Original --|
My Access Rules (relating to the VPN) look like this
|inside (2 incoming rules)|
|inside (4 outgoing rules)|
|outside (5 incoming rules)|
Any pointer is appreciated. I had this configuration documented somewhere as it used to work...
But i think it might have had some Exemption Rules which i cant replicate.
Have you tried the following command:-
sysopt connection permit-vpn
This will allow you SSL clients to bypass the interface access-lists. Below seems to be a good article I found for setting up an anyconnect client:-