12-29-2013 07:57 PM - edited 02-21-2020 07:24 PM
Hi,
I have setup anyconnect on a cisco ASA5520 and I am able to connect fine without any problems, the problem I am having is once connected I am not able to access any of the internal network, I cant even ping the ASA it self or any ip on the internal network.
I receive the below error
Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.200.1/62175 dst inside:192.168.100.200/53 denied due to NAT reverse path failure
Any hep will be greatly appricated.
I have pasted the running config below
ciscoasa# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name system.com.au
enable password k1fr encrypted
passwd 2YOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
pppoe client vpdn group II_Internet
ip address pppoe setroute
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.100.200
name-server 192.168.100.210
domain-name systema.com.au
object-group network Exchange_Server
access-list OUTSIDE-IN remark Allow SMTP
access-list OUTSIDE-IN extended permit tcp any host 210.210.224.130 eq smtp
access-list OUTSIDE-IN remark ALLOW HTTPS
access-list OUTSIDE-IN extended permit tcp any host 210.210.224.130 eq https
access-list no_nat extended permit ip 10.10.10.0 255.255.255.0 192.168.200.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool SSLClientPool 192.168.200.1-192.168.200.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list no_nat
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp 210.210.224.130 smtp 192.168.100.205 smtp netmask 255.255.255.255
static (inside,outside) tcp 210.210.224.130 https 192.168.100.205 https netmask 255.255.255.255
access-group OUTSIDE-IN in interface outside
route inside 10.1.1.0 255.255.255.0 10.10.10.1 1
route inside 172.16.25.0 255.255.255.0 10.10.10.1 1
route inside 172.16.25.0 255.255.255.0 10.10.10.1 1
route inside 192.168.100.0 255.255.255.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 2456
http 10.10.10.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=ciscoasa.system.com.au
keypair sslvpnkey
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca certificate map DefaultCertificateMap 10
crypto ca certificate chain ASDM_TrustPoint0
certificate 081f7ea439d550
3082057b 30820463 a0030201 02020708 1f7ea439 d550300d 06092a86 4886f70d
01050507 01010474 30723024 06082b06 01050507 30018618 68747470 3a2f2f6f
6373702e 676f6461 6464792e 636f6d2f 304a0608 2b060105 05073002 863e6874
c344fe27 6e5daeac ca444182 0132cb7e 005b3b2c 99d558d4 90a3120e 02bd8139
243878fc cf70f691 e3758245 4175a002 f03729b5 5af2db11 221381a9 9f1fddee
8c879f26 e048639d 262d1c80 537920d0 e0427db4 81a698fc afdd256a 64070b2b
d16e8995 23731426 b0b76042 b29a15cb cb793594 26be7299 a09f2365 4a254fe7
d6ef1f2e 925bdc8f 7efb32b0 31de198e febdc248 27bbfa36 bb849df1 699f88
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca 0301
308204de 308203c6 a0030201 02020203 01300d06 092a8648 86f70d01 01050500
3063310b 30090603 55040613 02555331 21301f06 0355040a 13185468 6520476f
3db71271 f4e8f151 40222849 e01d4b87 a834cc06 a2dd125a d1863664 03356f6f
776eebf2 8550985e ab0353ad 9123631f 169ccdb9 b205633a e1f4681b 17053595 53ee
quit
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
vpdn group II_Internet request dialout pppoe
vpdn group II_Internet localname system@comms.com.au
vpdn group II_Internet ppp authentication chap
vpdn username system@comms.com.au password *****
!
tls-proxy maximum-session 750
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
ntp server 203.14.0.251 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
svc enable
tunnel-group-list enable
certificate-group-map DefaultCertificateMap 10 SSLClient
group-policy SSLCLient internal
group-policy SSLCLient attributes
dns-server value 192.168.100.200
vpn-tunnel-protocol svc webvpn
default-domain value system.com.au
address-pools value SSLClientPool
username Peter password 72Cuy5 encrypted
username Peter attributes
service-type remote-access
username Sys-ten password Kd/vu encrypted privilege 15
tunnel-group SSLClient type remote-access
tunnel-group SSLClient general-attributes
default-group-policy SSLCLient
tunnel-group SSLClient webvpn-attributes
group-alias MY_RA enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
smtp-server 192.168.100.205
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:8f0c78e62a1a98b433941b77275faed3
: end
ciscoasa#
12-29-2013 08:30 PM
Your no_nat access-list (access-list no_nat extended permit ip 10.10.10.0 255.255.255.0 192.168.200.0 255.255.255.0) only exempts communications to 10.10.10.0/24 from your VPN addresses NAT.
Your example shows you trying to reach an internal DNS server 192.168.100.200. All inside networks need to be included in the no_nat access-list. That would mean, at a minimum, another access-list entry in the access-list like:
access-list no_nat extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
12-29-2013 08:55 PM
Hi Marvin,
I addedd the above access list you suggested but still having the same problem, do you have any other idea what it could be.
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide