11-05-2019 07:16 AM - edited 02-21-2020 09:40 AM
Hi I'm trying to write some NAT rules for my VPN Connections (y.y.y.y) through my Outside interface (x.x.x.x)
to be able to get full access to my internal network (z.z.z.z)
I thought i had the proper NAT going but maybe it's my access rule that doesnt work? I've setup a secured-route to my internal network (z.z.z.z) using the split tunneling for my AnyConnect client (over SSL).
My logs are showing
Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside: y.y.y.y dst inside: z.z.z.z denied due to NAT reverse path failure
I've read about Exemption Rules for NATing but what i tried didnt work.
Unfortunately i'm only familiar with the ASDM interface...
My NAT rule (relating to the VPN) looks like this:
# | Source Intf | Dest Intf | Source | Destination | Service | Source | Destination | Service | Options |
1 | outside | inside | y.y.y.y/24 | z.z.z.z/24 | any | -- Original -- | -- Original -- | -- Original -- | No Proxy ARP,Route Lookup |
2 | inside | any | z.z.z.z/24 | y.y.y.y/24 | any | -- Original -- | -- Original -- | -- Original -- | No Proxy ARP,Route Lookup |
14 | inside | outside | 0.0.0.0/0 | any | any | 0.0.0.0/0 | -- Original -- | -- Original -- |
My Access Rules (relating to the VPN) look like this
# | Enabled | Source | User | Destination | Security Group | Service | Action |
inside (2 incoming rules) | |||||||
1 | True | any4 | any4 | ip | Permit | ||
inside (4 outgoing rules) | |||||||
3 | True | any4 | any4 | ip | Permit | ||
outside (5 incoming rules) | |||||||
5 | True | y.y.y.y/24 | z.z.z.z/24 | ip | Permit |
Any pointer is appreciated. I had this configuration documented somewhere as it used to work...
But i think it might have had some Exemption Rules which i cant replicate.
11-05-2019 07:52 AM
Have you tried the following command:-
sysopt connection permit-vpn
This will allow you SSL clients to bypass the interface access-lists. Below seems to be a good article I found for setting up an anyconnect client:-
https://www.techrepublic.com/blog/data-center/eight-easy-steps-to-cisco-asa-remote-access-setup/
11-05-2019 08:48 AM
11-06-2019 03:45 AM
11-06-2019 06:14 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide