Firepower 1010 ASA VPN change remote machine IP to ASA IP

yritystuki · ‎08-31-2023

Hello,

I'm trying to recreate a VPN we had on our old decommissioned 5506-X sec plus.

We had a VPN that would change the remote devices IP to our Offices public IP (We need this to access other devices using SSH). We've tried many different configurations, and they all give us the same error:

Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.113.113.1/64312(LOCAL\User) dst outside:1.1.1.1/53 denied due to NAT reverse path failure.

We have tried different NAT settings, but nothing seems to affect the issue.

Any help will be much appreciated!

Cisco_Virtual_Engineer · ‎09-05-2023

To solve the NAT reverse path failure in VPN on 5506-X, you can follow these troubleshooting steps:

1. Use the packet tracer utility to verify that a packet hits the NAT policy. This utility allows you to specify a sample packet that enters the ASA and shows what configuration applies to the packet and if it is permitted or not.

2. View the output of the 'show nat detail' command to see the NAT policy table. Check the translate_hits and untranslate_hits counters to determine which NAT entries are used on the ASA. If your new NAT rule has no translate_hits or untranslate_hits, it means either the traffic does not arrive at the ASA or a different rule with a higher priority in the NAT table matches the traffic.

3. Ask yourself some troubleshooting questions to identify the issue:
- Is there a different NAT rule that takes precedence over the NAT rule you intend for the traffic to hit?
- Is there a different NAT rule with object definitions that are too broad, causing the traffic to match the wrong rule?
- Are the manual NAT policies out-of-order, causing the packet to match the wrong rule?
- Is your NAT rule incorrectly configured, causing it to not match your traffic?

4. Check for common problems with NAT configurations:
- Traffic fails due to NAT Reverse Path Failure (RPF) error: This can be due to asymmetric NAT rules matched for forward and reverse flows. Ensure the host sends data to the correct global NAT address and check the NAT rules that are hit by the connection.

- Manual NAT Rules are out-of-order, which causes incorrect packet matches: If the manual NAT rules are processed in the wrong order, a broad rule listed first can override a more specific rule farther down in the NAT table. Reorder the NAT rules or use ASDM (Cisco Adaptive Security Device Manager) to reorder the rules.

- NAT rule matches traffic inadvertently due to a rule being too broad: If a NAT rule is too broad and matches traffic inadvertently, you should reduce the scope of the objects or move the rules farther down the NAT table.

- NAT rule diverts traffic to an incorrect interface: NAT rules can take precedence over the routing table in determining the egress interface for a packet. If a NAT rule diverts traffic to the wrong interface, you can reorder the NAT table, use non-overlapping global IP address ranges, or use the route-lookup option in identity NAT rules.

- A NAT rule causes the ASA to proxy Address Resolution Protocol (ARP) for traffic on the mapped interface: The ASA proxies ARP for the global IP address range in a NAT statement on the global interface. To disable Proxy ARP on a per-NAT rule basis, add the 'no-proxy-arp' keyword to the NAT statement.

By following these steps, you should be able to solve the NAT reverse path failure issue you are experiencing.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.