cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2107
Views
0
Helpful
6
Replies

ASA 5505 Anyconnect nat traversal error

jameslumby
Level 1
Level 1

Good afternoon gents,

     I have setup an ASA 5505 and can connect with anyconnect, but when I do, I can't access my LAN, where as my LAN can access my laptop.  In the logs, I see the following error:

Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside;10.139.50.1/64506 dst inside 10.201.180.5/53 denied due to NAT reverse path failure.

I can't seem to figure this out and nothing I've read to try has worked. Here is the relevant config, any help would be GREATLY appreciated.

interface Vlan1
nameif inside
security-level 100
ip address 10.201.180.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 67.200.133.107 255.255.255.248
!

access-list inside_nat0_outbound extended permit ip 10.139.50.0 255.255.255.0 10.201.180.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.201.180.0 255.255.255.0 10.139.50.0 255.255.255.0

ip local pool SSLClientPool 10.139.50.1-10.139.50.50 mask 255.255.255.0

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL

1 Accepted Solution

Accepted Solutions

manish arora
Level 6
Level 6

Try the nat 0 statement without the outside key word.

nat (inside) 0 access-list inside_nat0_outbound

also,

do sh run sysopt and paste output.

Manish

View solution in original post

6 Replies 6

manish arora
Level 6
Level 6

Try the nat 0 statement without the outside key word.

nat (inside) 0 access-list inside_nat0_outbound

also,

do sh run sysopt and paste output.

Manish

Ok, I can access file shares now and remote to LAN members, it's not passing DNS or ICMP though.  When I do the sh run sysopt  I get nothing back.

Umm , it normally on by default but you can still issue the following command in global config mode :-

sysopt connection permit-vpn

This will make the vpn traffic by-pass the ACL's on the firewall. also check that your clients aren't running any personal firewall that is blocking ICMP.

Thanks

Manish

Thanks for the help!         

Everything is working except for dns now.  Any ideas on that?  It is giving the internal DNS server as the dns server, it just doesn't seem to be resolving.         

In the group-policy general attributes :-

default-domain value YOURDOMAIN.COM

thanks

Manish