06-06-2011 01:00 PM
Hello.
I have ASA2 established two VPNs
Like 1st net - ASA1 <-> ASA2 <-> ASA3 - second net
ASA1 - 1'st net <-- old-snoopy is here
ASA3 - 2'nd net <-- laprese-dns is here
ASA1,2,3 connected to each otherf by VPN l2l tunnels
I put following nat exemption rules to ASA2 config:
object network laprise-dns
host 172.28.4.33
object network old-snoopy
host 150.150.83.58
nat (any,any) source static old-snoopy old-snoopy destination static laprise-dns laprise-dns
when I'm trying to access from 1st net server 'old-snoopy' to server 'laprise-dns' situated in second net connection fall and I can see followin\g in ASA2 logs:
-------
Jun 06 2011 15:37:57: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:snoopy dst outside:172.28.4.33 (type 8, code 0) denied due to NAT reverse path failure
-------
Could you point me what I did wrong? Config attached.
Thank you.
06-06-2011 07:27 PM
Best would be to configure specific interface NAT statement instead of (any,any) as the ip address overlaps with other NAT statements.
Currently you have:
nat (any,any) source static old-snoopy old-snoopy destination static laprise-dns laprise-dns
Please change it to the interface specific:
nat (
06-07-2011 07:24 AM
Hello Jennifer.
Thank you very much for advice but.
this is ASA2 statement. as for ASA point of view both old-snoopy and laprise-dns are accessible via outside (because they are behind l2l VPN)
in this case what is better to use? any,outside
Please suggest.
06-07-2011 11:04 PM
Ahh, in that case, just configure the following:
nat (outside,outside) source static old-snoopy old-snoopy destination static laprise-dns laprise-dns
06-08-2011 07:17 AM
I put outside, outside NAT statement but attempted connect fall again.
-----------
10 (outside) to (outside) source static old-snoopy old-snoopy destination static laprise-dns laprise-dns
translate_hits = 2, untranslate_hits = 0
------------
I see that my connections from old-snoopy are hiting to ASA2 but ASA2 still get this:
--------
Jun 08 2011 10:16:24: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:snoopy/43670 dst outside:172.28.4.33/53 denied due to NAT reverse path failure
Jennifer what do you think it might be?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: