01-09-2014 11:37 AM
I have a network that looks something like this:
I have successfully connected to the inside network of the ASA via a software "VPN Client" tunnel and obtained an IP address of 10.45.99.100/16.
I'm trying to ping 10.45.7.2 from the outside 10.45.99.100, but the ping fails (request timed out).
On the ASA, with "logging console notifications" set, I notice the following message:
"%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.45.99.100 dst inside:10.45.7.2 (type 8, code 0) denied due to NAT reverse path failure"
I have a vague sense that I'm missing a NAT rule, but not entire sure. What have I missed?
Here's my ASA configuration: http://pastebin.com/raw.php?i=ad6p1Zac
Solved! Go to Solution.
01-09-2014 11:58 AM
Hi,
You seem to have a NAT0 ACL configured but its not actually in use with a "nat" command
You would probably need
nat (inside) 0 access-list inside_nat0_outside
This should handle the NAT0
I would personally avoid using large subnets/networks. You probably wont ever have host behind ASA that would fill /16 mask subnet.
I would also keep the VPN pool as a separate network compared to the LAN networks behind the ASA. Both the LAN 10.45.0.0/16 and 10.45.99.100-200 are from the same network.
- Jouni
01-09-2014 11:58 AM
Hi,
You seem to have a NAT0 ACL configured but its not actually in use with a "nat" command
You would probably need
nat (inside) 0 access-list inside_nat0_outside
This should handle the NAT0
I would personally avoid using large subnets/networks. You probably wont ever have host behind ASA that would fill /16 mask subnet.
I would also keep the VPN pool as a separate network compared to the LAN networks behind the ASA. Both the LAN 10.45.0.0/16 and 10.45.99.100-200 are from the same network.
- Jouni
01-09-2014 02:17 PM
Thanks, that resolved the failure message I was getting.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide