02-22-2021 04:51 AM
Hello,
I have problem for communicate between my two site for the Phone network.
First Site :
Inside Interface : 192.168.5.254
Phone interface : 10.10.1.1
Second Site :
Inside Interface : 192.168.1.254
Phone Interface : 10.10.2.1
I have a Site To Site Between, and i can Access and ping between 192.168.5.X and 192.168.1X and the reverse work also.
But I can't ping between 10.10.1.X and 10.10.2.X, i have the next messages :
Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.1.101 dst tel:10.10.1.200 (type 8, code 0) denied due to NAT reverse path failure
Thanks for your help.
Solved! Go to Solution.
03-08-2021 01:09 AM
Hello,
Thanks for your returns.
I reset and reconfigure my two ASA and the problem seems solved.
Best Regards,
Valentin
02-22-2021 05:49 AM
The error message is telling you what the problem is ie. the NAT rule being used for traffic one way is not the same as the NAT rule being used for the return traffic.
The problem will be with your NAT rule order.
Jon
02-22-2021 05:54 AM
Hello @Valentin GOULET ,
in the access lists that you use to define interesting traffic to be encrypted you need to specify also the VOIP subnets.
access-list 111 remark interesting traffic myside to remote side
access-list 111 permit ip 192.168.5.128 0.0.0.127 192.168.1.128 0.0.0.127
access-list 111 permit ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
Also in the access-lists you use for NAT you need to deny both types of flows
access-list 120 remark for NAT
access-list 120 deny ip 192.168.5.128 0.0.0.127 192.168.1.128 0.0.0.127
access-list 120 deny ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 120 permit ip 192.168.5.128 0.0.0.127 any
on the remote site you need an ACL that is the mirror ( exchange source and destination addresses) for defining interesting traffic and you need to fix also the ACL used for NAT in a similar way
Hope to help
Giuseppe
02-24-2021 07:03 AM
Thanks for your return.
I doing those commands to my first and second site :
First site :
access-list 111 remark interesting traffic myside to remote side
access-list 111 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 111 permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
Also in the access-lists you use for NAT you need to deny both types of flows
access-list 120 remark for NAT
access-list 120 deny ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 120 deny ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list 120 permit ip 192.168.5.0 255.255.255.0 any
Second site :
access-list 111 remark interesting traffic myside to remote side
access-list 111 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 111 permit ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0
Also in the access-lists you use for NAT you need to deny both types of flows
access-list 120 remark for NAT
access-list 120 deny ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list 120 deny ip 10.10.2.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list 120 permit ip 192.168.1.0 255.255.255.0 any
The problem is always the same...
02-24-2021 07:52 AM
Hello @Valentin GOULET ,
you need
ip nat inside
within the L3 internal interfaces for data and VOIP otherwise NAT is not triggered.
in case of further problems post all the configuration just hide public IP address and passwords
Verify also all the NAT statements with
show run | inc nat
you may have a static NAT on one side that is breaking connectivity
Hope to help
Giuseppe
02-25-2021 06:06 AM
Hello @Giuseppe Larosa
You can see the two sites configuration in files attached.
SIEGE : First Site
Autre : Second Site
Thanks
02-25-2021 12:40 PM - edited 02-25-2021 12:41 PM
Hi there,
You might find it beneficial to use the packet tracer command to simulate traffic flow to see if that reveals anything untoward.
Upon scanning the config files, you may need a twice NAT for your telephonie network to your outside, e.g.
First Site:
nat (telephonie,outside) source static 10.10.1.0 10.10.1.0 destination static 10.10.2.0 10.10.2.0 no-proxy-arp route-lookup
Second Site:
nat (telephonie,outside) source static 10.10.2.0 10.10.2.0 destination static 10.10.1.0 10.10.1.0 no-proxy-arp route-lookup
Obviously change the source and destination IPs to meet your needs.
03-08-2021 01:09 AM
Hello,
Thanks for your returns.
I reset and reconfigure my two ASA and the problem seems solved.
Best Regards,
Valentin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide