Cisco AnyConnect ASA denied due to NAT reverse path failure

systemaxtech · ‎12-29-2013

Hi,

I have setup anyconnect on a cisco ASA5520 and I am able to connect fine without any problems, the problem I am having is once connected I am not able to access any of the internal network, I cant even ping the ASA it self or any ip on the internal network.

I receive the below error

Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.200.1/62175 dst inside:192.168.100.200/53 denied due to NAT reverse path failure

Any hep will be greatly appricated.

I have pasted the running config below

ciscoasa# sh run

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

domain-name system.com.au

enable password k1fr encrypted

passwd 2YOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

pppoe client vpdn group II_Internet

ip address pppoe setroute

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone EST 10

clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.100.200

name-server 192.168.100.210

domain-name systema.com.au

object-group network Exchange_Server

access-list OUTSIDE-IN remark Allow SMTP

access-list OUTSIDE-IN extended permit tcp any host 210.210.224.130 eq smtp

access-list OUTSIDE-IN remark ALLOW HTTPS

access-list OUTSIDE-IN extended permit tcp any host 210.210.224.130 eq https

access-list no_nat extended permit ip 10.10.10.0 255.255.255.0 192.168.200.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool SSLClientPool 192.168.200.1-192.168.200.10 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list no_nat

nat (inside) 101 0.0.0.0 0.0.0.0

static (inside,outside) tcp 210.210.224.130 smtp 192.168.100.205 smtp netmask 255.255.255.255

static (inside,outside) tcp 210.210.224.130 https 192.168.100.205 https netmask 255.255.255.255

access-group OUTSIDE-IN in interface outside

route inside 10.1.1.0 255.255.255.0 10.10.10.1 1

route inside 172.16.25.0 255.255.255.0 10.10.10.1 1

route inside 192.168.100.0 255.255.255.0 10.10.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable 2456

http 10.10.10.0 255.255.255.0 inside

http 192.168.100.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=ciscoasa.system.com.au

keypair sslvpnkey

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

crl configure

crypto ca certificate map DefaultCertificateMap 10

crypto ca certificate chain ASDM_TrustPoint0

certificate 081f7ea439d550

3082057b 30820463 a0030201 02020708 1f7ea439 d550300d 06092a86 4886f70d

01050507 01010474 30723024 06082b06 01050507 30018618 68747470 3a2f2f6f

6373702e 676f6461 6464792e 636f6d2f 304a0608 2b060105 05073002 863e6874

c344fe27 6e5daeac ca444182 0132cb7e 005b3b2c 99d558d4 90a3120e 02bd8139

243878fc cf70f691 e3758245 4175a002 f03729b5 5af2db11 221381a9 9f1fddee

8c879f26 e048639d 262d1c80 537920d0 e0427db4 81a698fc afdd256a 64070b2b

d16e8995 23731426 b0b76042 b29a15cb cb793594 26be7299 a09f2365 4a254fe7

d6ef1f2e 925bdc8f 7efb32b0 31de198e febdc248 27bbfa36 bb849df1 699f88

quit

crypto ca certificate chain ASDM_TrustPoint1

certificate ca 0301

308204de 308203c6 a0030201 02020203 01300d06 092a8648 86f70d01 01050500

3063310b 30090603 55040613 02555331 21301f06 0355040a 13185468 6520476f

3db71271 f4e8f151 40222849 e01d4b87 a834cc06 a2dd125a d1863664 03356f6f

776eebf2 8550985e ab0353ad 9123631f 169ccdb9 b205633a e1f4681b 17053595 53ee

quit

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

vpdn group II_Internet request dialout pppoe

vpdn group II_Internet localname system@comms.com.au

vpdn group II_Internet ppp authentication chap

vpdn username system@comms.com.au password *****

!

tls-proxy maximum-session 750

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

dynamic-filter updater-client enable

dynamic-filter use-database

ntp server 203.14.0.251 source outside prefer

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

anyconnect-essentials

svc image disk0:/anyconnect-win-3.1.05152-k9.pkg 1

svc enable

tunnel-group-list enable

certificate-group-map DefaultCertificateMap 10 SSLClient

group-policy SSLCLient internal

group-policy SSLCLient attributes

dns-server value 192.168.100.200

vpn-tunnel-protocol svc webvpn

default-domain value system.com.au

address-pools value SSLClientPool

username Peter password 72Cuy5 encrypted

username Peter attributes

service-type remote-access

username Sys-ten password Kd/vu encrypted privilege 15

tunnel-group SSLClient type remote-access

tunnel-group SSLClient general-attributes

default-group-policy SSLCLient

tunnel-group SSLClient webvpn-attributes

group-alias MY_RA enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect ip-options

!

service-policy global_policy global

smtp-server 192.168.100.205

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:8f0c78e62a1a98b433941b77275faed3

: end

ciscoasa#

Marvin Rhoads · ‎12-29-2013

Your no_nat access-list (access-list no_nat extended permit ip 10.10.10.0 255.255.255.0 192.168.200.0 255.255.255.0) only exempts communications to 10.10.10.0/24 from your VPN addresses NAT.

Your example shows you trying to reach an internal DNS server 192.168.100.200. All inside networks need to be included in the no_nat access-list. That would mean, at a minimum, another access-list entry in the access-list like:

access-list no_nat extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0

systemaxtech · ‎12-29-2013

Hi Marvin,

I addedd the above access list you suggested but still having the same problem, do you have any other idea what it could be.

Thanks,