Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1243
Views
0
Helpful
6
Replies

Asymmetric NAT rules error

laserbrain
Level 1
Level 1

‎05-21-2012 04:45 PM

Hi Guys,

First my setup:

ASA Server 192.168.202.0 ------>easyvpn---->ASA 192.168.1.0

|

IPSec Client 192.168.21.0

i have a problem. I want to ping the 192.168.1.0 network from the software client. This doesn't work and this is the error in my log files:

Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:84.181.113.188/65535 dst inside:192.168.202.1/123 denied due to NAT reverse path failure

What do i need to solve this problem?

I have already this conf:

same-security-traffic permit intra-interface

access-list nat0_acl extended permit ip 192.168.21.0 255.255.255.0 192.168.1.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list no-nat

nat (inside) 1 192.168.202.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_in in interface outside

Labels:
0 Helpful
6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

‎05-21-2012 08:39 PM

Hello,

I do not understand the diagram, are both Easy VPN clients and Ipsec clients on the outside world, or is the Easy vpn people behind the inside interface?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

laserbrain
Level 1
Level 1
In response to Julio Carvajal

‎05-21-2012 11:10 PM

Hello,

and sorry for missing this detail. Here it is:

ASA Server 192.168.202.0 ------>easyvpn network extension mode---->ASA 192.168.1.0

static IP outside INET                                            dynamic IP outside INET

|

IPSec Client 192.168.21.0

dynamic IP outsideINET

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to laserbrain

‎05-22-2012 09:32 AM

Hello Can,

So its like this:

         EASYVPN CLIENTS---------INSIDE----ASA----OUTSIDE----------------IPSEC CLIENTS

And you want to allow traffic from IpSec clients to the EASY vpn clients.

In this case you will need to no nat the traffic from the EASY VPN clients to the IPsec clients and then from the IPSec clients to the easy VPN clients.

Sorry for keep asking these but are the EASY VPN clients comming from the inside interface of the ASA and not the outside interface, I just want to make sure.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

laserbrain
Level 1
Level 1
In response to Julio Carvajal

‎05-22-2012 11:06 AM

Sorry for my bad explanation:

so here we go. The IPSec Client are on the internet, connecting the ASA on the outside interface. And both ASA are making an EzVPN network on the outside interfaces. And i'm connecting the IPSec clinet to one ASA and i want to get in touch with the network behind the second ASA.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to laserbrain

‎05-22-2012 11:18 AM

Hello,

So  you want the IPsec clients to be able to talk to the network behind the other EasyVPN site. Is the other side the Easy VPN server?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

laserbrain
Level 1
Level 1
In response to Julio Carvajal

‎05-22-2012 11:21 AM

Hi  Julio,

yes that the point. I want to connect all network areas including the one behind the EzVPN network.

I can connect the 192.168.202.0 with no problem from the ipsec clients. But i need to connect also to the 192.168.1.0 network.

Thanks a lot for your patience.

0 Helpful
Customers Also Viewed These Support Documents