Hello,
I'm quite new to cisco devices so maybe there is an easy way i just don't know to solve the problem i have.
We have 2 ISP Connections and 2 ASA5505 with Sec Plus devices here in our Office. I was able to setup ISP-Failover and Active/Standby-Unit after some learning and Internet Research without many troubles. If the "KabelPlus-Modem" goes down the ASA Switches over to the the Backup-Route (Telekom Austria Router) and Internet is working fine.
Here is the Setup:
The VPN is working fine as long as it runs over the Kabelplus-Modem, as soon as it Switches to the Telekom-Line i can see that the VPN is buildup and acctually running, but nat doesn't like me anymore.
The Error states: Asymetric NAT rules matched for Forward and revers flows; denied due to NAT reverse path failure
In the Packet-Trace i got a (nat-xlate-failed)
I'm a bit confused by the cisco nat rules but i think i slowly understand them somehow :)
Shouldn't the last 2 lines take care of the translation?
nat (inside,outside) source static RF001-01-LAN-MD RF001-01-LAN-MD destination static RF003-01-LAN-FRA RF003-01-LAN-FRA nat (inside,outside) source static any any destination static NETWORK_OBJ_10.140.148.0_24 NETWORK_OBJ_10.140.148.0_24 no-proxy-arp route-lookup nat (inside,outside) source static any any destination static RF001-01-LAN-MD RF001-01-LAN-MD no-proxy-arp route-lookup nat (inside,outside) source static RF001-01-LAN-MD RF001-01-LAN-MD destination static RF002-01-LAN-WBN RF002-01-LAN-WBN no-proxy-arp route-lookup nat (inside,outside) source static RF001-01-LAN-MD RF001-01-LAN-MD destination static RF002-01-VPN-Anyconnect-WBN RF002-01-VPN-Anyconnect-WBN no-proxy-arp nat (inside,any) source static any any destination static VPNPOOL-001-MD VPNPOOL-001-MD description VPN Users 001 Access nat (inside,outside) source static NETWORK_OBJ_10.140.145.0_24 NETWORK_OBJ_10.140.145.0_24 destination static RF004-01-LAN-VIE RF004-01-LAN-VIE no-proxy-arp route-lookup nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static RF004-01-LAN-VIE RF004-01-LAN-VIE no-proxy-arp route-lookup nat (outside,outside) source static VPNPOOL-001-MD VPNPOOL-001-MD destination static RF004-01-LAN-VIE RF004-01-LAN-VIE nat (inside,outside) source static any any destination static NETWORK_OBJ_10.140.148.0_27 NETWORK_OBJ_10.140.148.0_27 no-proxy-arp route-lookup nat (inside,outside) source static intern_10.140.145.0 intern_10.140.145.0 destination static remote_wiesbaden remote_wiesbaden no-proxy-arp route-lookup nat (inside,outside) source static intern_10.140.145.0 intern_10.140.145.0 destination static remote_wbn_anyconnect remote_wbn_anyconnect no-proxy-arp nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.169.0_26 NETWORK_OBJ_192.168.169.0_26 no-proxy-arp route-lookup nat (outside,outside) source static VPNPOOL-001-MD VPNPOOL-001-MD destination static remote_ix remote_ix nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp route-lookup ! object network VPNPOOL-001-MD nat (any,outside) dynamic interface object network VPNPOOL-001-MD-Telekom nat (any,outside-TELEKOM) dynamic interface object network WLAN_Guest nat (GuestWLAN,outside) dynamic interface ! nat (inside,outside) after-auto source dynamic any interface nat (inside,outside-TELEKOM) after-auto source dynamic any interface
I pasted a full config (cleaned out the certificate and Passwords) into the Attachement. Any help and tipps (also no related which helps me understanding cisco asa a bit better) are very appriciated. I did most of the config with the ADSM Tool except the Active/Standby Failover part but also getting slowly familiar with the cli.
best regards
Daniel
Accepted Solutions
