Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1182
Views
5
Helpful
7
Replies

IPSEC SITE TO SITE an attempt to connect to a mapped host using its actual address was rejected

Go to solution
Valentin GOULET
Level 1
Level 1

‎02-22-2021 04:51 AM

Hello,

 

I have problem for communicate between my two site for the Phone network.

 

First Site :

Inside Interface : 192.168.5.254

Phone interface : 10.10.1.1

 

Second Site :

Inside Interface : 192.168.1.254

Phone Interface : 10.10.2.1

 

I have a Site To Site Between, and i can Access and ping between 192.168.5.X and 192.168.1X and the reverse work also.

 

But I can't ping between 10.10.1.X and 10.10.2.X, i have the next messages : 

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.1.101 dst tel:10.10.1.200 (type 8, code 0) denied due to NAT reverse path failure

 

Thanks for your help.

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Valentin GOULET
Level 1
Level 1
In response to Scott Leport

‎03-08-2021 01:09 AM

Hello,

 

Thanks for your returns.

 

I reset and reconfigure my two ASA and the problem seems solved.

 

Best Regards,

 

Valentin

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-22-2021 05:49 AM

 

The error message is telling you what the problem is ie. the NAT rule being used for traffic one way is not the same as the NAT rule being used for the return traffic. 

 

The problem will be with your NAT rule order. 

 

Jon

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-22-2021 05:54 AM

Hello @Valentin GOULET ,

in the access lists that you use to define interesting traffic to be encrypted you need to specify also the VOIP subnets.

 

access-list 111 remark interesting traffic myside to remote side

access-list 111 permit ip 192.168.5.128 0.0.0.127   192.168.1.128 0.0.0.127

access-list 111 permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255

 

Also in the access-lists you use for NAT you need to deny both types of flows

 

access-list 120 remark for NAT

access-list 120 deny ip 192.168.5.128 0.0.0.127   192.168.1.128 0.0.0.127

access-list 120 deny ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255

access-list 120 permit ip 192.168.5.128 0.0.0.127 any

 

on the remote site you need an ACL that is the mirror ( exchange source and destination addresses) for defining interesting traffic and you need to fix also the ACL used for NAT in a similar way

 

Hope to help

Giuseppe

 

0 Helpful

Go to solution
Valentin GOULET
Level 1
Level 1
In response to Giuseppe Larosa

‎02-24-2021 07:03 AM

Thanks for your return.

 

I doing those commands to my first and second site :

 

First site :

access-list 111 remark interesting traffic myside to remote side

access-list 111 permit ip 192.168.5.0 255.255.255.0   192.168.1.0 255.255.255.0

access-list 111 permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0

 

Also in the access-lists you use for NAT you need to deny both types of flows

 

access-list 120 remark for NAT

access-list 120 deny ip 192.168.5.0 255.255.255.0  192.168.1.0 255.255.255.0

access-list 120 deny ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0

access-list 120 permit ip 192.168.5.0 255.255.255.0 any

 

Second site :

access-list 111 remark interesting traffic myside to remote side

access-list 111 permit ip 192.168.1.0 255.255.255.0   192.168.5.0 255.255.255.0

access-list 111 permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0

 

Also in the access-lists you use for NAT you need to deny both types of flows

 

access-list 120 remark for NAT

access-list 120 deny ip 192.168.1.0 255.255.255.0  192.168.5.0 255.255.255.0

access-list 120 deny ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0

access-list 120 permit ip 192.168.1.0 255.255.255.0 any

 

The problem is always the same...

 

 

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Valentin GOULET

‎02-24-2021 07:52 AM

Hello @Valentin GOULET ,

you need

ip nat inside

within the L3 internal interfaces for data and VOIP otherwise NAT is not triggered.

 

in case of further problems post all the configuration just hide public IP address and passwords

Verify also all the NAT statements with

 

show run | inc nat

 

you may have a static NAT on one side that is breaking connectivity

 

Hope to help

Giuseppe

 

0 Helpful

Go to solution
Valentin GOULET
Level 1
Level 1
In response to Giuseppe Larosa

‎02-25-2021 06:06 AM

Hello @Giuseppe Larosa 

 

You can see the two sites configuration in files attached.

 

SIEGE : First Site

Autre : Second Site

 

Thanks

Preview file
110 KB
Preview file
118 KB
0 Helpful

Go to solution
Scott Leport
Level 7
Level 7

‎02-25-2021 12:40 PM - edited ‎02-25-2021 12:41 PM

Hi there,

 

You might find it beneficial to use the packet tracer command to simulate traffic flow to see if that reveals anything untoward.

Upon scanning the config files, you may need a twice NAT for your telephonie network to your outside, e.g.

 

First Site:

nat (telephonie,outside) source static 10.10.1.0 10.10.1.0 destination static 10.10.2.0 10.10.2.0 no-proxy-arp route-lookup

 

Second Site:

nat (telephonie,outside) source static 10.10.2.0 10.10.2.0 destination static 10.10.1.0 10.10.1.0 no-proxy-arp route-lookup

 

Obviously change the source and destination IPs to meet your needs.

 

 

Go to solution
Valentin GOULET
Level 1
Level 1
In response to Scott Leport

‎03-08-2021 01:09 AM

Hello,

 

Thanks for your returns.

 

I reset and reconfigure my two ASA and the problem seems solved.

 

Best Regards,

 

Valentin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card