cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

629
Views
0
Helpful
4
Replies
Highlighted
Beginner

VPN NAT/Access Rules not working

Hi I'm trying to write some NAT rules for my VPN Connections (y.y.y.y) through my Outside interface (x.x.x.x)

to be able to get full access to my internal network (z.z.z.z)

 

I thought i had the proper NAT going but maybe it's my access rule that doesnt work? I've setup a secured-route to my internal network (z.z.z.z) using the split tunneling for my AnyConnect client (over SSL).

 

My logs are showing 

Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside: y.y.y.y dst inside: z.z.z.z denied due to NAT reverse path failure

 

I've read about Exemption Rules for NATing but what i tried didnt work.

Unfortunately i'm only familiar with the ASDM interface...

 

My NAT rule (relating to the VPN) looks like this:

#Source IntfDest IntfSourceDestinationServiceSourceDestinationServiceOptions
1outsideinsidey.y.y.y/24z.z.z.z/24any-- Original ---- Original ---- Original --No Proxy ARP,Route Lookup
2insideanyz.z.z.z/24y.y.y.y/24any-- Original ---- Original ---- Original --No Proxy ARP,Route Lookup
14insideoutside0.0.0.0/0anyany0.0.0.0/0-- Original ---- Original -- 

 

My Access Rules (relating to the VPN) look like this

#EnabledSourceUserDestinationSecurity GroupServiceAction
inside (2 incoming rules)
1Trueany4 any4 ipPermit
inside (4 outgoing rules)
3Trueany4 any4 ipPermit
outside (5 incoming rules)
5Truey.y.y.y/24 z.z.z.z/24 ipPermit

 

Any pointer is appreciated. I had this configuration documented somewhere as it used to work...

But i think it might have had some Exemption Rules which i cant replicate.

Everyone's tags (4)
4 REPLIES 4
Highlighted
Beginner

Re: VPN NAT/Access Rules not working

Have you tried the following command:-

 

sysopt connection permit-vpn

 

This will allow you SSL clients to bypass the interface access-lists. Below seems to be a good article I found for setting up an anyconnect client:-

 

https://www.techrepublic.com/blog/data-center/eight-easy-steps-to-cisco-asa-remote-access-setup/

 

 

Highlighted
Beginner

Re: VPN NAT/Access Rules not working

Thanks, I tried that no success. I already had that checked in the ASDM (under the AnyConnect Connections Profile there is a check for that)
"Bypass interface access lists for inbound VPN sessions"


Highlighted
Beginner

Re: VPN NAT/Access Rules not working

The error message you provided means the NAT rule is Asymmetric hence your traffic is denied. You should look to rectify your NAT rules and its sequencing to resolve the issue in the first place.
My logs are showing

Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside: y.y.y.y dst inside: z.z.z.z denied due to NAT reverse path failure


You should read here: https://www.theroutingtable.com/asymmetric-nat-rules-matched-for-forward-and-reverse-flows/


It would be great if you could provide "sh nat" output. You can also check with packet-tracer utility in ASDM. You have option to run single command in ASMD.

HTH
### RATE ALL HELPFUL RESPONSES ###
Highlighted
Beginner

Re: VPN NAT/Access Rules not working

I have figured it out (well at least a work around)
Originally I had setup the AnyConnect using the wizard but I had not used the "Bypass NAT" option. I though I would be able to do this manually afterwards.
So I decided to configure a new connection with the Bypass NAT option it solved the issue. I just have no idea how to make this work without bypassing the
NAT. (or how to bypass this manually). Not that it matters. It works.

Thanks for the help