cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
44426
Views
15
Helpful
30
Replies
josetecson
Beginner

Asymmetric NAT rules matched for forward and reverse flows

Hi! I don't know why this comes up in the logs when I have configured my vpn like so:

crypto dynamic-map L2L_MAP 50 set reverse-route

crypto dynamic-map OUTSIDE_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 40 set pfs

crypto dynamic-map OUTSIDE_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 60 set pfs

crypto dynamic-map OUTSIDE_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 65535 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime seconds 288000

crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime kilobytes 4608000

crypto dynamic-map INSIDE_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 20 match address IDP_VPN

crypto map L2L_MAP 20 set peer x.x.x.x

crypto map L2L_MAP 20 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 40 match address cp_l2l_map_40

crypto map L2L_MAP 40 set peer x.x.x.x

crypto map L2L_MAP 40 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 60 match address bwi_l2l

crypto map L2L_MAP 60 set peer x.x.x.x

crypto map L2L_MAP 60 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 80 match address outside_80_cryptomap

crypto map L2L_MAP 80 set peer x.x.x.x

crypto map L2L_MAP 80 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map

crypto map L2L_MAP interface outside

crypto map INSIDE_map 65535 ipsec-isakmp dynamic INSIDE_dyn_map

crypto map INSIDE_map interface inside

******

I am able to connect successfully via vpn client.  Its just that i cant reach the internal servers...  Any ideas?

i get this error:

Oct 18 2012 00:52:37: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.10.13.221/137 dst inside:10.10.13.255/137 denied

30 REPLIES 30

Errr, are you connected to your VPN Client when you take the output?

I am connected via ssh and in the CLI of the asa.

You would need to connect to the VPN Client, and try to access the internal network to see if it's successful.

Then connect to SSH and grab those output if it's still not working.

Thats the thing...  I get authenticated successfully by the vpn client but once i'm connected i cannot ssh, RDP ro any servers or access anything.

Add this command:

crypto isakmp nat-traversal 30

management-access inside

access-list split-acl permit 10.10.13.0 255.255.255.0

group-policy ihasavpn2_gp attributes

  split-tunnel-policy tunnelspecified

  split-tunnel-network-list value split-acl

Then connect to vpn client and see if you can access anything. Also try to ping 10.10.13.5

Oct 18 2012 07:46:48: %ASA-6-737026: IPAA: Client assigned 192.168.6.220 from local pool

Oct 18 2012 07:46:48: %ASA-7-713906: Group = ihasavpn2, Username = jtescon, IP = 222.127.16.228, Obtained IP addr (192.168.6.220) prior to initiating Mode Cfg (XAuth enabled)

Oct 18 2012 07:46:48: %ASA-6-713228: Group = ihasavpn2, Username = jtescon, IP = 222.127.16.228, Assigned private IP address 192.168.6.220 to remote user

192.168.6.220

Oct 18 2012 07:46:49: %ASA-7-713025: Group = ihasavpn2, Username = jtescon, IP = 222.127.16.228, Received remote Proxy Host data in ID Payload:  Address 192.168.6.220, Protocol 0, Port 0

Oct 18 2012 07:46:49: %ASA-7-713222: Group = ihasavpn2, Username = jtescon, IP = 222.127.16.228, Static Crypto Map check, map = L2L_MAP, seq = 20, ACL does not match proxy IDs src:192.168.6.220 dst:0.0.0.0

Oct 18 2012 07:46:49: %ASA-7-713222: Group = ihasavpn2, Username = jtescon, IP = 222.127.16.228, Static Crypto Map check, map = L2L_MAP, seq = 40, ACL does not match proxy IDs src:192.168.6.220 dst:0.0.0.0

Oct 18 2012 07:46:49: %ASA-7-713222: Group = ihasavpn2, Username = jtescon, IP = 222.127.16.228, Static Crypto Map check, map = L2L_MAP, seq = 60, ACL does not match proxy IDs src:192.168.6.220 dst:0.0.0.0

Oct 18 2012 07:46:49: %ASA-7-713222: Group = ihasavpn2, Username = jtescon, IP = 222.127.16.228, Static Crypto Map check, map = L2L_MAP, seq = 80, ACL does not match proxy IDs src:192.168.6.220 dst:0.0.0.0

  Remote host: 192.168.6.220  Protocol 0  Port 0

Oct 18 2012 07:46:49: %ASA-7-609001: Built local-host outside:192.168.6.220

Oct 18 2012 07:46:49: %ASA-7-713204: Group = ihasavpn2, Username = jtescon, IP = 222.127.16.228, Adding static route for client address: 192.168.6.220

Oct 18 2012 07:49:09: %ASA-3-313001: Denied ICMP type=8, code=0 from 192.168.6.220 on interface outside

Oct 18 2012 07:49:14: %ASA-3-313001: Denied ICMP type=8, code=0 from 192.168.6.220 on interface outside

Oct 18 2012 07:49:19: %ASA-3-313001: Denied ICMP type=8, code=0 from 192.168.6.220 on interface outside

Oct 18 2012 07:49:24: %ASA-3-313001: Denied ICMP type=8, code=0 from 192.168.6.220 on interface outside

Oct 18 2012 07:50:10: %ASA-7-710005: TCP request discarded from 192.168.6.220/24783 to outside:10.10.13.5/22

Oct 18 2012 07:50:13: %ASA-7-710005: TCP request discarded from 192.168.6.220/24783 to outside:10.10.13.5/22

thats the result from logs when i added the split tunnel

It's difficult not to see the whole config, as there might be overlapping ACL, or other configuration that might block the access.

well, it was worth a shot   thanks for your help though.. tho one thing to note i accidentally made overlapped some config

in the crypto and it worked altho it tore down all the l2l vpns configured:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000

crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp nat-traversal

it sortof replaced "crypto map L2L_MAP interface outside" and it worked but the rest of the site to site VPNs didnt work so i had to revert back.

i was wondering if it conflicted somewhere.  or maybe i have to place a

nat (outside) 1 192.168.6.0 255.255.255.0  --> does do anything?

If it works when you have it before, then it's definitely overlapping crypto ACL. Check and make sure that you don't have any overlapping crypto ACL with 192.168.6.0/24. If you do, then change the pool to a different subnet (unique subnet).

You can remove: nat (outside) 1 192.168.6.0 255.255.255.0, as you don't need that.

Thanks Jennifer i really appreciate your help.  It was a good try...

Is it working now?

Unfortunately it still isn't...

object network Remote_Subnet
subnet 192.168.6.0 255.255.255.0

nat (Inside,Outside) source static any any destination static Remote_Subnet Remote_Subnet no-proxy-arp route-lookup


@shyleshkodiyath wrote:

object network Remote_Subnet
subnet 192.168.6.0 255.255.255.0

nat (Inside,Outside) source static any any destination static Remote_Subnet Remote_Subnet no-proxy-arp route-lookup


You are awesome! I have been trying to figure this out for a month! I ran accross this post and switched out my vpn subnet and ran the commands above and it immeediatly fixed my problem! I cannot thank you enough! The 3 commands were all I applied btw. I didnt even have to log out of my current VPN session:)

Content for Community-Ad