09-14-2010 07:30 AM
Hi everybody, i have a problem with a Site-to Site VPN connection between two ASA 5505 (ASA 8.2, ASDM 6.2) and i hope someone can help me. I have build the configuration on both devices (http://cisco.biz/en/US/docs/security/asa/asa82/getting_started/asa5580/quick/guide/sitvpn.html#wp1044213) . Under "Specifying Hosts and Networks / Remote Network" i use not the external ip of remote Site, i use the internal networks ( 10.0.1.0 and 10.0.2.0 ). I need connetion to two remote internal networks ( from 10.0.0.0 to 10.0.1.0 and 10.0.2.0 ). The Tunnel (Phase1 and Phase 2) comes up when i ping a host of the second (10.0.2.x) remote network, but a ping is not possible. Syslog says "Asymmetric NAT rules matched for forward and reverseflows; Connection for icmp src outside: 10.0.0.x dst dmz:10.0.1.x (type8, code 0) denied due to NAT reverse path failure ". On both Sites VPN connetions with Cisco VPN Clients are possible. Thanks to everyone for any ideas and help.
09-14-2010 08:18 AM
Hi,
For the site-to-site tunnel you should avoid NAT for the interesting traffic in both sites.
i.e
Site A internal LAN 10.1.1.0/24
Site B internal LAN 10.1.2.0/24
Site A configuration for NAT:
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
nat (inside) 0 access-list nonat
Site B configuration for NAT:
access-list nonat permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list nonat
VPN Configuration:
Site A:
access-list vpn permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
Site B:
access-list vpn permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
The above configuration allows communication between the internal sites on both sides without doing NAT for that traffic.
Is that how you have your configuration?
Federico.
09-14-2010 11:38 PM
Thanks to all of you. The example of Federico Coto Fajardo: "access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0"
has shown me my Problem, thank you very mutch.
09-15-2010 07:34 AM
Glad I could help.
Please rate the threat if you find it helpful.
Federico.
09-14-2010 09:57 AM
Hi,
Please attach the outputs of "show run nat", "show run global" and "show run static" from both the ASAs?
Regards,
Prapanch
05-09-2011 10:08 AM
Hi Frederico,
Is the below configuration part of the crypto map ACL
VPN Configuration:
Site A:
access-list vpn permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
Site B:
access-list vpn permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
I am experiencing this error on Site B ASA when for e.g. Site A inside host initiates a connection to Site B inside host.
How should the NAT0 ACLs in this case be. The 'inside to outside communication' are already defined against NAT0. But I am getting this error for 'outside to inside host communication'.
Please advise.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide