Solved: Connected to ASA via software "VPN Client", but cannot ping devices.

JonCommins · ‎01-09-2014

I have a network that looks something like this:

I have successfully connected to the inside network of the ASA via a software "VPN Client" tunnel and obtained an IP address of 10.45.99.100/16.

I'm trying to ping 10.45.7.2 from the outside 10.45.99.100, but the ping fails (request timed out).

On the ASA, with "logging console notifications" set, I notice the following message:

"%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.45.99.100 dst inside:10.45.7.2 (type 8, code 0) denied due to NAT reverse path failure"

I have a vague sense that I'm missing a NAT rule, but not entire sure. What have I missed?

Here's my ASA configuration: http://pastebin.com/raw.php?i=ad6p1Zac

Jouni Forss · ‎01-09-2014

Hi,

You seem to have a NAT0 ACL configured but its not actually in use with a "nat" command

You would probably need

nat (inside) 0 access-list inside_nat0_outside

This should handle the NAT0

I would personally avoid using large subnets/networks. You probably wont ever have host behind ASA that would fill /16 mask subnet.

I would also keep the VPN pool as a separate network compared to the LAN networks behind the ASA. Both the LAN 10.45.0.0/16 and 10.45.99.100-200 are from the same network.

- Jouni

View solution in original post

Jouni Forss · ‎01-09-2014

Hi,