Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
46550
Views
15
Helpful
30
Replies

Asymmetric NAT rules matched for forward and reverse flows

josetecson
Level 1
Level 1

‎10-17-2012 10:03 PM

Hi! I don't know why this comes up in the logs when I have configured my vpn like so:

crypto dynamic-map L2L_MAP 50 set reverse-route

crypto dynamic-map OUTSIDE_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 40 set pfs

crypto dynamic-map OUTSIDE_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 60 set pfs

crypto dynamic-map OUTSIDE_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 65535 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime seconds 288000

crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime kilobytes 4608000

crypto dynamic-map INSIDE_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 20 match address IDP_VPN

crypto map L2L_MAP 20 set peer x.x.x.x

crypto map L2L_MAP 20 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 40 match address cp_l2l_map_40

crypto map L2L_MAP 40 set peer x.x.x.x

crypto map L2L_MAP 40 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 60 match address bwi_l2l

crypto map L2L_MAP 60 set peer x.x.x.x

crypto map L2L_MAP 60 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 80 match address outside_80_cryptomap

crypto map L2L_MAP 80 set peer x.x.x.x

crypto map L2L_MAP 80 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map

crypto map L2L_MAP interface outside

crypto map INSIDE_map 65535 ipsec-isakmp dynamic INSIDE_dyn_map

crypto map INSIDE_map interface inside

******

I am able to connect successfully via vpn client.  Its just that i cant reach the internal servers...  Any ideas?

i get this error:

Oct 18 2012 00:52:37: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.10.13.221/137 dst inside:10.10.13.255/137 denied

Labels:
0 Helpful
30 Replies 30

Grant-Security/Network Analyst
Level 1
Level 1
In response to bonkers4ip

‎08-11-2019 08:03 AM

I have to update with this simple comment because sometimes the simple things get you in the end.  In my case I had everything setup correctly.  Nat exempt, split tunneling allowed access to all required networks, and even a nat rule:

nat (inside,outside) source static any any destination static AnyConnect_Pool AnyConnect_Pool no-proxy-arp route-lookup

 

ASA# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet1/1 outside x.x.x.x 255.255.255.255 CONFIG
GigabitEthernet1/2 inside 10.110.0.1 255.255.255.240 CONFIG
GigabitEthernet1/3 office 10.110.10.1 255.255.255.224 CONFIG

 

The problem is the NAT rule, I was able to connect to anything on the inside interface, but because there was a rule that said inside,outside I couldn't get to the office network.  Changed the rule to:

nat (any,outside) source static any any destination static AnyConnect_Pool AnyConnect_Pool no-proxy-arp route-lookup

 

 

0 Helpful
Customers Also Viewed These Support Documents