10-17-2012 10:03 PM
Hi! I don't know why this comes up in the logs when I have configured my vpn like so:
crypto dynamic-map L2L_MAP 50 set reverse-route
crypto dynamic-map OUTSIDE_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_dyn_map 40 set pfs
crypto dynamic-map OUTSIDE_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_dyn_map 60 set pfs
crypto dynamic-map OUTSIDE_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_dyn_map 65535 set transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime seconds 288000
crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map INSIDE_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map L2L_MAP 20 match address IDP_VPN
crypto map L2L_MAP 20 set peer x.x.x.x
crypto map L2L_MAP 20 set transform-set ESP-3DES-SHA
crypto map L2L_MAP 40 match address cp_l2l_map_40
crypto map L2L_MAP 40 set peer x.x.x.x
crypto map L2L_MAP 40 set transform-set ESP-3DES-SHA
crypto map L2L_MAP 60 match address bwi_l2l
crypto map L2L_MAP 60 set peer x.x.x.x
crypto map L2L_MAP 60 set transform-set ESP-3DES-SHA
crypto map L2L_MAP 80 match address outside_80_cryptomap
crypto map L2L_MAP 80 set peer x.x.x.x
crypto map L2L_MAP 80 set transform-set ESP-3DES-SHA
crypto map L2L_MAP 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map
crypto map L2L_MAP interface outside
crypto map INSIDE_map 65535 ipsec-isakmp dynamic INSIDE_dyn_map
crypto map INSIDE_map interface inside
******
I am able to connect successfully via vpn client. Its just that i cant reach the internal servers... Any ideas?
i get this error:
Oct 18 2012 00:52:37: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.10.13.221/137 dst inside:10.10.13.255/137 denied
08-11-2019 08:03 AM
I have to update with this simple comment because sometimes the simple things get you in the end. In my case I had everything setup correctly. Nat exempt, split tunneling allowed access to all required networks, and even a nat rule:
nat (inside,outside) source static any any destination static AnyConnect_Pool AnyConnect_Pool no-proxy-arp route-lookup
ASA# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1/1 outside x.x.x.x 255.255.255.255 CONFIG
GigabitEthernet1/2 inside 10.110.0.1 255.255.255.240 CONFIG
GigabitEthernet1/3 office 10.110.10.1 255.255.255.224 CONFIG
The problem is the NAT rule, I was able to connect to anything on the inside interface, but because there was a rule that said inside,outside I couldn't get to the office network. Changed the rule to:
nat (any,outside) source static any any destination static AnyConnect_Pool AnyConnect_Pool no-proxy-arp route-lookup
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide