cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
45848
Views
15
Helpful
30
Replies

Asymmetric NAT rules matched for forward and reverse flows

josetecson
Level 1
Level 1

Hi! I don't know why this comes up in the logs when I have configured my vpn like so:

crypto dynamic-map L2L_MAP 50 set reverse-route

crypto dynamic-map OUTSIDE_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 40 set pfs

crypto dynamic-map OUTSIDE_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 60 set pfs

crypto dynamic-map OUTSIDE_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 65535 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime seconds 288000

crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime kilobytes 4608000

crypto dynamic-map INSIDE_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 20 match address IDP_VPN

crypto map L2L_MAP 20 set peer x.x.x.x

crypto map L2L_MAP 20 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 40 match address cp_l2l_map_40

crypto map L2L_MAP 40 set peer x.x.x.x

crypto map L2L_MAP 40 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 60 match address bwi_l2l

crypto map L2L_MAP 60 set peer x.x.x.x

crypto map L2L_MAP 60 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 80 match address outside_80_cryptomap

crypto map L2L_MAP 80 set peer x.x.x.x

crypto map L2L_MAP 80 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map

crypto map L2L_MAP interface outside

crypto map INSIDE_map 65535 ipsec-isakmp dynamic INSIDE_dyn_map

crypto map INSIDE_map interface inside

******

I am able to connect successfully via vpn client.  Its just that i cant reach the internal servers...  Any ideas?

i get this error:

Oct 18 2012 00:52:37: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.10.13.221/137 dst inside:10.10.13.255/137 denied

30 Replies 30

Jennifer Halim
Cisco Employee
Cisco Employee

What is your VPN pool subnet? Pls configure a unique subnet which is not the same subnet as your inside network.

Also have you configure NAT exemption for those traffic?

I now changed it to

ip local pool inshse-vpn-pool2 192.168.6.220-192.168.6.230 mask 255.255.255.0

but i get same looking errors

Oct 18 2012 01:16:20: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.6.220/51119 dst inside:10.10.10.52/53 denied due to NAT reverse path failure

Have you configured NAT exemption for traffic between 10.10.13.0 and 192.168.6.0?

which version of ASA are you running?

The version is 8.2.

I added:

nat (inside) 0 access-list nonatacl

access-list nonatacl extended permit ip 192.168.6.0 255.255.255.0 any

I still get the same error:

Oct 18 2012 01:37:34: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.6.220/64932 dst inside:10.10.10.52/53 denied due to NAT reverse path failure

192.168.6.0/24 should be the destination, not the source.

access-list nonatacl permit ip 10.10.13.0 255.255.255.0 192.168.6.0 255.255.255.0

nat (inside) 0 access-list nonatacl

Then "clear xlate", it should work after that.

I have added:

access-list nonatacl extended permit ip 10.10.13.0 255.255.255.0 192.168.6.0 255.255.255.0

I still get the same error. i get no hits in the acl.

access-list nonatacl line 8 extended permit ip 10.10.13.0 255.255.255.0 192.168.6.0 255.255.255.0 (hitcnt=0) 0x6ba60382

10.10.13.0 ---> is the inside network

can u pls share the full config, thx

I put in the important configs:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.0 standby x.x.x.x

ospf cost 10

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.13.5 255.255.255.0 standby 10.10.13.6

ospf cost 10

!

interface GigabitEthernet0/2

nameif dmz

security-level 50

no ip address

ospf cost 10

!

interface GigabitEthernet0/2.720

vlan 720

nameif dmz-vsp

security-level 50

ip address 172.24.0.1 255.255.255.0 standby 172.24.0.2

ospf cost 10

!

interface GigabitEthernet0/2.724

vlan 724

nameif dmz-dbz

security-level 75

ip address 172.24.4.1 255.255.255.0 standby 172.24.4.2

ospf cost 10

!

interface GigabitEthernet0/2.725

vlan 725

nameif dmz-smtp

security-level 50

ip address 172.24.5.1 255.255.255.0 standby 172.24.5.2

ospf cost 10

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.10.10.50

domain-name xxxx.local

access-list nonatacl extended permit ip 10.10.0.0 255.255.0.0 10.40.4.0 255.255.255.0

access-list nonatacl extended permit ip 172.16.0.0 255.255.0.0 10.40.4.0 255.255.255.0

access-list nonatacl extended permit ip 192.168.2.0 255.255.255.0 10.40.4.0 255.255.255.0

access-list nonatacl extended permit ip 192.168.3.0 255.255.255.0 10.40.4.0 255.255.255.0

access-list nonatacl extended permit ip 10.10.0.0 255.255.0.0 10.40.14.0 255.255.255.0

access-list nonatacl extended permit ip 10.10.13.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list nonatacl extended permit ip 10.10.10.0 255.255.255.0 10.10.13.0 255.255.255.0

access-list nonatacl extended permit ip 10.10.13.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list nonatacl extended permit ip 192.168.6.0 255.255.255.0 10.10.13.0 255.255.255.0

ip local pool inshse-vpn-pool2 192.168.6.220-192.168.6.230 mask 255.255.255.0

global (outside) 201 192.168.16.1-192.168.16.250

global (outside) 202 10.201.5.145-10.201.5.158

global (outside) 4 10.10.13.180-10.10.13.189 netmask 255.0.0.0

global (outside) 101 interface

global (outside) 1 x.x.x.x netmask 255.0.0.0

global (inside) 204 10.10.13.70-10.10.13.79 netmask 255.0.0.0

nat (inside) 0 access-list nonatacl

nat (inside) 201 access-list NAT_TO_IDP

nat (inside) 202 access-list inside2-vsp_nat_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

nat (dmz-vsp) 202 access-list dmz-vsp_nat_outbound

nat (dmz-vsp) 101 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 10.0.0.0 255.240.0.0 10.10.13.1 1

route inside 10.40.1.0 255.255.255.0 10.10.13.1 1

route inside 10.40.2.0 255.255.255.0 10.10.13.1 1

route inside 10.40.3.0 255.255.255.0 10.10.13.1 1

route inside 10.40.4.0 255.255.255.0 10.10.13.1 1

route inside 10.40.13.0 255.255.255.0 10.10.13.1 1

route inside 10.40.254.0 255.255.255.0 10.10.13.1 1

route inside 172.16.0.0 255.255.0.0 10.10.13.1 1

route inside 192.168.2.0 255.255.255.0 10.10.13.1 1

dynamic-access-policy-record DfltAccessPolicy

aaa-server VPN_Auth protocol radius

aaa-server VPN_Auth (inside) host 10.10.2.20

timeout 5

key *****

no mschapv2-capable

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map L2L_MAP 50 set reverse-route

crypto dynamic-map OUTSIDE_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 40 set pfs

crypto dynamic-map OUTSIDE_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 60 set pfs

crypto dynamic-map OUTSIDE_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 65535 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime seconds 288000

crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime kilobytes 4608000

crypto dynamic-map INSIDE_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 20 match address IDP_VPN

crypto map L2L_MAP 20 set peer x.x.x.x

crypto map L2L_MAP 20 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 40 match address cp_l2l_map_40

crypto map L2L_MAP 40 set peer x.x.x.x

crypto map L2L_MAP 40 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 60 match address nonatacl

crypto map L2L_MAP 60 set peer x.x.x.x

crypto map L2L_MAP 60 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 80 match address outside_80_cryptomap

crypto map L2L_MAP 80 set peer x.x.x.x

crypto map L2L_MAP 80 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map

crypto map L2L_MAP interface outside

crypto map INSIDE_map 65535 ipsec-isakmp dynamic INSIDE_dyn_map

crypto map INSIDE_map interface inside

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp enable dmz

crypto isakmp enable dmz-vsp

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

group-policy ihasavpn2_gp internal

group-policy ihasavpn2_gp attributes

dns-server value 10.10.10.52

vpn-tunnel-protocol IPSec

default-domain value xxxx.local

tunnel-group ihasavpn2 type remote-access

tunnel-group ihasavpn2 general-attributes

address-pool inshse-vpn-pool2

authentication-server-group VPN_Auth

authentication-server-group (inside) VPN_Auth

default-group-policy ihasavpn2_gp

tunnel-group ihasavpn2 ipsec-attributes

pre-shared-key *****

tunnel-group ihasavpn2 ppp-attributes

authentication ms-chap-v2

Pls remove the following:

access-list nonatacl extended permit ip 192.168.6.0 255.255.255.0 10.10.13.0 255.255.255.0

Also share the output of: show route | i 192.168.

i removed the that acl line.

show route | i 192.168.

S    192.168.2.0 255.255.255.0 [1/0] via 10.10.13.1, inside

where do you connect from? inside or outside?

i connect from the outside (public internet) using vpn client. 

Can you pls share the output of:

show cry ipsec sa

output:

There are no ipsec sas

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: