07-15-2021 07:11 AM
Hello all,
We trying to connect a second internal network to our existing site to site VPN.
The VPN works for the initial two networks, but when trying to add the second network at site B we get the following error:
Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:172.16.1.94 dst
Lab:192.168.2.15 (type 8, code 0) denied due to NAT reverse path failure
Site B: 1.2.3.100, Internal network: 192.168.1.0
Site A: 1.2.3.200, internal network: 172.16.1.0
Site B network to add is 192.168.2.0
Seems from different threads that I have seen that we are missing a NAT statement of some sort but I am not sure the statement we need.
Let me know any shows that you would like me to run and I can post them up for you, rather than posting the whole config here.
Thanks
Solved! Go to Solution.
07-16-2021 08:19 AM
Have you not run this packet tracer on the wrong firewall?
packet-tracer input Lab icmp 172.16.1.94 8 0 192.168.2.15
172.16.1.94 is not the source network??
07-16-2021 08:26 AM
Yeah. I ran that packet tracer from Site B, everything I have showed you is from Site B. That's why I ran it again changing the source and destination. I realized I probably had those backward.
07-16-2021 08:36 AM
Ok, so did the encaps increase on the ipsec sa when you run the correct packet trace?
Did you generate some real traffic?
Why does the output confirm the input interface as "elk" and not lab?
Result:
input-interface: Elk
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Please provide the full configuration on both firewalls.
07-16-2021 09:22 AM
Sorry,
Elk was the real name but since I was calling it Lab early on I thought I would stick with that to not confuse things. Forgot the change it...
No encaps increase. Site A still sends but doesn't receive, site B receives but doesn't send.
I will send over the configs in a bit...
Also when you say "real traffic", what are you referring to? I have been sending pings across the networks, that is usually enough to bring up the tunnel.
Thanks,
07-16-2021 09:32 AM - edited 07-16-2021 09:50 AM
Site B is attached.
07-16-2021 09:35 AM
Okay,
I had someone on there end ping through to my network and it worked and then verified that I could ping their machine.
This is now working.
I appreciate your patience with me.
Thanks for all of your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide