cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
733
Views
0
Helpful
2
Replies

Dual ISP - Active/Standby Configuration Site2Site VPN Problem (nat-xlate-failed, Asymetric NAT rules matched for Forward and revers flows)

dwernle_st
Level 1
Level 1

Hello,

 

I'm quite new to cisco devices so maybe there is an easy way i just don't know to solve the problem i have.

 

We have 2 ISP Connections and 2 ASA5505 with Sec Plus devices here in our Office. I was able to setup ISP-Failover and Active/Standby-Unit after some learning and Internet Research without many troubles. If the "KabelPlus-Modem" goes down the ASA Switches over to the the Backup-Route (Telekom Austria Router) and Internet is working fine.

 

Here is the Setup:

 

The VPN is working fine as long as it runs over the Kabelplus-Modem, as soon as it Switches to the Telekom-Line i can see that the VPN is buildup and acctually running, but nat doesn't like me anymore.

 

The Error states: Asymetric NAT rules matched for Forward and revers flows; denied due to NAT reverse path failure

In the Packet-Trace i got a (nat-xlate-failed)

 

I'm a bit confused by the cisco nat rules but i think i slowly understand them somehow :)

Shouldn't the last 2 lines take care of the translation?

 

nat (inside,outside) source static RF001-01-LAN-MD RF001-01-LAN-MD destination static RF003-01-LAN-FRA RF003-01-LAN-FRA
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.140.148.0_24 NETWORK_OBJ_10.140.148.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static RF001-01-LAN-MD RF001-01-LAN-MD no-proxy-arp route-lookup
nat (inside,outside) source static RF001-01-LAN-MD RF001-01-LAN-MD destination static RF002-01-LAN-WBN RF002-01-LAN-WBN no-proxy-arp route-lookup
nat (inside,outside) source static RF001-01-LAN-MD RF001-01-LAN-MD destination static RF002-01-VPN-Anyconnect-WBN RF002-01-VPN-Anyconnect-WBN no-proxy-arp
nat (inside,any) source static any any destination static VPNPOOL-001-MD VPNPOOL-001-MD description VPN Users 001 Access
nat (inside,outside) source static NETWORK_OBJ_10.140.145.0_24 NETWORK_OBJ_10.140.145.0_24 destination static RF004-01-LAN-VIE RF004-01-LAN-VIE no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static RF004-01-LAN-VIE RF004-01-LAN-VIE no-proxy-arp route-lookup
nat (outside,outside) source static VPNPOOL-001-MD VPNPOOL-001-MD destination static RF004-01-LAN-VIE RF004-01-LAN-VIE
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.140.148.0_27 NETWORK_OBJ_10.140.148.0_27 no-proxy-arp route-lookup
nat (inside,outside) source static intern_10.140.145.0 intern_10.140.145.0 destination static remote_wiesbaden remote_wiesbaden no-proxy-arp route-lookup
nat (inside,outside) source static intern_10.140.145.0 intern_10.140.145.0 destination static remote_wbn_anyconnect remote_wbn_anyconnect no-proxy-arp
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.169.0_26 NETWORK_OBJ_192.168.169.0_26 no-proxy-arp route-lookup
nat (outside,outside) source static VPNPOOL-001-MD VPNPOOL-001-MD destination static remote_ix remote_ix
nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp route-lookup
!
object network VPNPOOL-001-MD
 nat (any,outside) dynamic interface
object network VPNPOOL-001-MD-Telekom
 nat (any,outside-TELEKOM) dynamic interface
object network WLAN_Guest
 nat (GuestWLAN,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
nat (inside,outside-TELEKOM) after-auto source dynamic any interface

 

I pasted a full config (cleaned out the certificate and Passwords) into the Attachement. Any help and tipps (also no related which helps me understanding cisco asa a bit better) are very appriciated. I did most of the config with the ADSM Tool except the Active/Standby Failover part but also getting slowly familiar with the cli.

 best regards

Daniel

 

1 Accepted Solution

Accepted Solutions

Abaji Rawool
Level 3
Level 3

Hi Daniel,

Try to configure the NAT exempt rules for VPN traffic as shown below

nat (inside,any) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp route-lookup

Use Any Instead of using specific destination interface, as NAT rules are checked in sequence.

Regards,

Abaji.

 

 

View solution in original post

2 Replies 2

Abaji Rawool
Level 3
Level 3

Hi Daniel,

Try to configure the NAT exempt rules for VPN traffic as shown below

nat (inside,any) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp route-lookup

Use Any Instead of using specific destination interface, as NAT rules are checked in sequence.

Regards,

Abaji.

 

 

Thank you very much for your help, i will try it in the evening and will Report back.

 

edit:

I saw that you pointed out the auto-created objects DM_INLINE_NETWORK_X so i took a step back and were going over all the Network objects, consolidated them and in the end i was able to cut down 17 nat-rules to only a few :)

 

nat (inside,any) source static 001-ALL_MD_Networks 001-ALL_MD_Networks destination static 002-ALL_WBN_Networks 002-ALL_WBN_Networks no-proxy-arp route-lookup
nat (inside,any) source static 001-ALL_MD_Networks 001-ALL_MD_Networks destination static 003-ALL_FRA_Networks 003-ALL_FRA_Networks no-proxy-arp route-lookup
nat (inside,any) source static 001-ALL_MD_Networks 001-ALL_MD_Networks destination static 004-ALL_VIE_Networks 004-ALL_VIE_Networks no-proxy-arp route-lookup
!
object network VPNPOOL-001-MD
 nat (any,outside) dynamic interface
object network VPNPOOL-001-MD-Telekom
 nat (any,outside-TELEKOM) dynamic interface
object network WLAN_Guest
 nat (GuestWLAN,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
nat (inside,outside-TELEKOM) after-auto source dynamic any interface

 

thank you very much again, you were a great help