Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2351
Views
0
Helpful
20
Replies

denied due to NAT reverse path failure for second internal network

Go to solution
RichardBeach46587
Level 1
Level 1

‎07-15-2021 07:11 AM

Hello all,

We trying to connect a second internal network to our existing site to site VPN.

The VPN works for the initial two networks, but when trying to add the second network at site B we get the following error:

 

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:172.16.1.94 dst

Lab:192.168.2.15 (type 8, code 0) denied due to NAT reverse path failure

 

Site B: 1.2.3.100, Internal network: 192.168.1.0

Site A: 1.2.3.200, internal network: 172.16.1.0

 

Site B network to add is 192.168.2.0

Seems from different threads that I have seen that we are missing a NAT statement of some sort but I am not sure the statement we need.

Let me know any shows that you would like me to run and I can post them up for you, rather than posting the whole config here.

Thanks

 

 

Labels:
0 Helpful
20 Replies 20

Go to solution
Rob Ingram
VIP
VIP
In response to RichardBeach46587

‎07-16-2021 08:19 AM

Have you not run this packet tracer on the wrong firewall?

 

packet-tracer input Lab icmp 172.16.1.94 8 0 192.168.2.15

 

172.16.1.94 is not the source network??

0 Helpful

Go to solution
RichardBeach46587
Level 1
Level 1
In response to Rob Ingram

‎07-16-2021 08:26 AM

Yeah. I ran that packet tracer from Site B, everything I have showed you is from Site B. That's why I ran it again changing the source and destination. I realized I probably had those backward.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to RichardBeach46587

‎07-16-2021 08:36 AM

Ok, so did the encaps increase on the ipsec sa when you run the correct packet trace?

Did you generate some real traffic?

 

Why does the output confirm the input interface as "elk" and not lab?

 

Result:
input-interface: Elk
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

 

Please provide the full configuration on both firewalls.

0 Helpful

Go to solution
RichardBeach46587
Level 1
Level 1
In response to Rob Ingram

‎07-16-2021 09:22 AM

Sorry,

 

Elk was the real name but since I was calling it Lab early on I thought I would stick with that to not confuse things. Forgot the change it...

 

No encaps increase. Site A still sends but doesn't receive, site B receives but doesn't send.

I will send over the configs in a bit...

 

Also when you say "real traffic", what are you referring to? I have been sending pings across the networks, that is usually enough to bring up the tunnel.

 

Thanks,

0 Helpful

Go to solution
RichardBeach46587
Level 1
Level 1
In response to RichardBeach46587

‎07-16-2021 09:32 AM - edited ‎07-16-2021 09:50 AM

Site B is attached. 

0 Helpful

Go to solution
RichardBeach46587
Level 1
Level 1
In response to RichardBeach46587

‎07-16-2021 09:35 AM

Okay,

I had someone on there end ping through to my network and it worked and then verified that I could ping their machine.

 

This is now working.

I appreciate your patience with me.

 

Thanks for all of your help!

0 Helpful
Customers Also Viewed These Support Documents