11-01-2010 02:09 PM - edited 02-21-2020 04:56 PM
Good afternoon gents,
I have setup an ASA 5505 and can connect with anyconnect, but when I do, I can't access my LAN, where as my LAN can access my laptop. In the logs, I see the following error:
Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside;10.139.50.1/64506 dst inside 10.201.180.5/53 denied due to NAT reverse path failure.
I can't seem to figure this out and nothing I've read to try has worked. Here is the relevant config, any help would be GREATLY appreciated.
interface Vlan1
nameif inside
security-level 100
ip address 10.201.180.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 67.200.133.107 255.255.255.248
!
access-list inside_nat0_outbound extended permit ip 10.139.50.0 255.255.255.0 10.201.180.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.201.180.0 255.255.255.0 10.139.50.0 255.255.255.0
ip local pool SSLClientPool 10.139.50.1-10.139.50.50 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
Solved! Go to Solution.
11-01-2010 02:20 PM
Try the nat 0 statement without the outside key word.
nat (inside) 0 access-list inside_nat0_outbound
also,
do sh run sysopt and paste output.
Manish
11-01-2010 02:20 PM
Try the nat 0 statement without the outside key word.
nat (inside) 0 access-list inside_nat0_outbound
also,
do sh run sysopt and paste output.
Manish
11-01-2010 02:40 PM
Ok, I can access file shares now and remote to LAN members, it's not passing DNS or ICMP though. When I do the sh run sysopt I get nothing back.
11-01-2010 02:47 PM
Umm , it normally on by default but you can still issue the following command in global config mode :-
sysopt connection permit-vpn
This will make the vpn traffic by-pass the ACL's on the firewall. also check that your clients aren't running any personal firewall that is blocking ICMP.
Thanks
Manish
11-01-2010 02:55 PM
Thanks for the help!
11-01-2010 03:12 PM
Everything is working except for dns now. Any ideas on that? It is giving the internal DNS server as the dns server, it just doesn't seem to be resolving.
11-01-2010 03:18 PM
In the group-policy general attributes :-
default-domain value YOURDOMAIN.COM
thanks
Manish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide