I am putting in a second ASA location and can not get communicate across the VPN that is established. The error I get is (Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.72.14 dst inside:192.168.73.103 (type 0, code 0) denied due to NAT reverse path failure) when I try to ping from a host iinsde the 73 network to a host inside the 72 network.
I have mirrored the working VPN nat statements. I do see an ACL to a object group but don't see where it matters. Am I missing something obvious?
HOST:
ASA Version 8.3(1)
!
hostname 5510
!
interface Ethernet0/0
description Outside interface
nameif OUTSIDE
security-level 0
ip address 72.54.197.28 255.255.255.248
!
interface Ethernet0/1
description Inside interface to internal network
nameif INSIDE
security-level 100
ip address 192.168.72.2 255.255.255.0
!
boot system disk0:/asa831-k8.bin
same-security-traffic permit intra-interface
object network obj-192.168.72.0
subnet 192.168.72.0 255.255.255.0
object network obj-192.168.74.0
subnet 192.168.74.0 255.255.255.0
object network obj-192.168.72.100
host 192.168.72.100
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network obj_any-02
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.73.0
subnet 192.168.73.0 255.255.255.0
description Rye
object-group service Citrix1494 tcp
port-object eq citrix-ica
port-object eq www
port-object eq https
port-object range 445 447
object-group network ValleywoodInternalNetwork
network-object 192.168.72.0 255.255.255.0
access-list OUTSIDE_1_cryptomap extended permit ip object obj-192.168.72.0 object obj-192.168.74.0
access-list INSIDE_nat0_inbound extended permit ip 192.168.72.0 255.255.255.0 192.168.74.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.74.0 255.255.255.0 object-group ValleywoodInternalNetwork
access-list Outside-ACL extended permit tcp any host 192.168.72.100 object-group Citrix1494
access-list OUTSIDE_2_cryptomap extended permit ip object obj-192.168.72.0 object obj-192.168.73.0
nat (INSIDE,INSIDE) source static obj-192.168.72.0 obj-192.168.72.0 destination static obj-192.168.74.0 obj-192.168.74.0
nat (INSIDE,OUTSIDE) source static obj-192.168.72.0 obj-192.168.72.0 destination static obj-192.168.74.0 obj-192.168.74.0
nat (INSIDE,OUTSIDE) source static obj-192.168.72.0 obj-192.168.72.0 destination static obj-192.168.73.0 obj-192.168.73.0
nat (INSIDE,INSIDE) source static obj-192.168.72.0 obj-192.168.72.0 destination static obj-192.168.73.0 obj-192.168.73.0
!
object network obj-192.168.72.100
nat (INSIDE,OUTSIDE) static 72.54.197.26
object network obj_any
nat (INSIDE,OUTSIDE) dynamic interface
object network obj_any-01
nat (INSIDE,OUTSIDE) dynamic obj-0.0.0.0
object network obj_any-02
nat (management,OUTSIDE) dynamic obj-0.0.0.0
access-group Outside-ACL in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 72.54.197.25 100
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE_map 1 match address OUTSIDE_1_cryptomap
crypto map OUTSIDE_map 1 set pfs group1
crypto map OUTSIDE_map 1 set peer 72.54.178.126
crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_map 2 match address OUTSIDE_2_cryptomap
crypto map OUTSIDE_map 2 set pfs group1
crypto map OUTSIDE_map 2 set peer 69.15.200.138
crypto map OUTSIDE_map 2 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_map interface OUTSIDE
crypto isakmp identity hostname
crypto isakmp enable OUTSIDE
crypto isakmp enable INSIDE
crypto isakmp enable management
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 72.54.178.126 type ipsec-l2l
tunnel-group 72.54.178.126 ipsec-attributes
pre-shared-key *****
tunnel-group 69.15.200.138 type ipsec-l2l
tunnel-group 69.15.200.138 ipsec-attributes
pre-shared-key *****
!
REMOTE:
: Saved
:
ASA Version 8.3(1)
!
hostname 5505
interface Vlan1
nameif inside
security-level 100
ip address 192.168.73.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 69.15.200.138 255.255.255.252
!
boot system disk0:/asa831-k8.bin
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network 192.168.72.0
subnet 192.168.72.0 255.255.255.0
description Sixpines
object network NETWORK_OBJ_192.168.73.0_24
subnet 192.168.73.0 255.255.255.0
object network obj-192.168.73.0
subnet 192.168.73.0 255.255.255.0
object network Sixpines
subnet 192.168.72.0 255.255.255.0
object-group network SixpinesInternalNetwork
network-object Sixpines 255.255.255.0
access-list outside_1_cryptomap extended permit ip object obj-192.168.73.0 object Sixpines
nat (dmz,outside) source static NETWORK_OBJ_192.168.73.0_24 NETWORK_OBJ_192.168.73.0_24 destination static 192.168.72.0 192.168.72.0
nat (inside,any) source static obj-192.168.73.0 obj-192.168.73.0 destination static Sixpines Sixpines
nat (inside,outside) source static obj-192.168.73.0 obj-192.168.73.0 destination static Sixpines Sixpines
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 69.15.200.137 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 72.54.197.28
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 72.54.197.28 type ipsec-l2l
tunnel-group 72.54.197.28 ipsec-attributes
pre-shared-key *****
!
!
Any suggestions would be greatly apperciated
