Solved: Hello Karsten Iwen

Olivier Chambelant · ‎08-01-2016

Hello dudes

I have a problem with a VPN.

Here the architecture:

10.91.250.16 <<<<>>>> ASA <<<<>>>> TUNNEL<<<<>>>> CHECKPOINT <<<<>>>> 172.16.8.12

Before to enter in tunnel 10.91.250.16 is nated to 10.10.249.1.

When I try to ping, I get this error message:

5

Aug 01 2016

11:07:50

305013

10.91.250.16

172.16.8.12

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src inside:10.91.250.16 dst outside:172.16.8.12 (type 8, code 0) denied due to NAT reverse path failure

I'll attach my configuration.

Thanks for your help

Dina Odeh · ‎08-01-2016

To Be more specified, NAT should be like this:

nat (inside,outside) source static HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL NAT_CAMPUS<->CUSTOMER destination static LAN_CUSTOMER LAN_CUSTOMER

View solution in original post

Karsten Iwen · ‎08-01-2016

This is often caused by missing ICMP-inspection. You can add the following config to enable it:

policy-map global_policy
 class inspection_default
  inspect icmp

Olivier Chambelant · ‎08-01-2016

Hello Karsten Iwen

Thanks for your reply.

Unfortunately, the problem remains.

I've made a packet-tracer:

packet-tracer input inside icmp 10.91.250.16 0 0 172.16.8.12

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 88.164.214.254 using egress ifc outside

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL
 nat (inside,outside) static NAT_CAMPUS<->CUSTOMER
Additional Information:
Static translate 10.91.250.16/0 to 10.10.249.1/0

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
 inspect icmp
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_any
 nat (any,inside) dynamic interface
Additional Information:

Result:
output-interface: outside
output-status: up
output-line-status: up
Action: drop

Karsten Iwen · ‎08-01-2016

ok, what do you want to achieve with the following NAT-rule? Is that really what you want?

object network obj_any
 nat (any,inside) dynamic interface

If you wanted to add the dynamic NAT for all outgoing traffic, the interface is wrong. Then you could configure it as following and remove the above statement:

nat (any,outside) after-auto source dynamic any interface

Olivier Chambelant · ‎08-01-2016

Hey,

Thanks both of you.

To make it easier, here the architecture

With my computer (10.91.250.16) I want to reach all listed subnets in customer LAN.

In my firewall, my IP address is nated to 10.10.249.1 /32.

But, when I try to ping, i get that:

5

Aug 01 2016

11:07:50

305013

10.91.250.16

172.16.8.12

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src inside:10.91.250.16 dst outside:172.16.8.12 (type 8, code 0) denied due to NAT reverse path failure

Thanks for help :)

Dina Odeh · ‎08-01-2016

Okay fine.

Create an object-group that should contain all the destination network "remote network". Then add the static NAT :

nat (inside,outside) source static HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL NAT_CAMPUS<->CUSTOMER destination static destination_obj destination_obj

Let us know if this will help

Olivier Chambelant · ‎08-01-2016

Hello Dina Odeh,

Thanks for you reply but it's not working. Same issue :'(

5

Aug 01 2016

15:06:59

305013

10.91.250.16

172.16.8.12

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src inside:10.91.250.16 dst outside:172.16.8.12 (type 8, code 0) denied due to NAT reverse path failure

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 88.164.214.254 using egress ifc outside

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
 inspect icmp
service-policy global_policy global
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_any
 nat (any,inside) dynamic interface
Additional Information:

Result:
output-interface: outside
output-status: up
output-line-status: up
Action: drop

Best regards.

Olivier.

Dina Odeh · ‎08-01-2016

Hi Oliver,

Send me please "show run nat" and this output:

"packet-tracer input inside icmp 10.91.250.16 8 0 172.16.8.12 det"

Olivier Chambelant · ‎08-01-2016

nat (inside,outside) source static HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL destination static LAN_CUSTOMER NAT_CAMPUS<->CUSTOMER
!
object network obj_any
 nat (any,inside) dynamic interface
!
nat (MANAGEMENT,outside) after-auto source dynamic any interface


Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 88.164.214.254 using egress ifc outside

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x2aaac04fedd0, priority=0, domain=nat-per-session, deny=true
 hits=890438, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
 input_ifc=any, output_ifc=any

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x2aaac0fba920, priority=0, domain=inspect-ip-options, deny=true
 hits=51627, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
 input_ifc=inside, output_ifc=any

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
 inspect icmp
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x2aaac1c6ee80, priority=70, domain=inspect-icmp, deny=false
 hits=2500, user_data=0x2aaac2d393e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
 input_ifc=inside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x2aaac0fba130, priority=66, domain=inspect-icmp-error, deny=false
 hits=5906, user_data=0x2aaac0fb96a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
 input_ifc=inside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x2aaac1c79750, priority=13, domain=ipsec-tunnel-flow, deny=true
 hits=3481, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
 input_ifc=inside, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_any
 nat (any,inside) dynamic interface
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x2aaac10cd210, priority=6, domain=nat-reverse, deny=false
 hits=3636, user_data=0x2aaac10cb390, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
 input_ifc=inside, output_ifc=any

Result:
output-interface: outside
output-status: up
output-line-status: up
Action: drop

Thanks for you help.

Best regards,

Olivier Chambelant

Dina Odeh · ‎08-01-2016

Oliver,

You put an incorrect NAT, not the one we mentioned above.

NAT should be like this:

nat (inside,outside) source static HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL NAT_CAMPUS<->CUSTOMER destination static destination_obj destination_obj

Destination_obj --- Is an object group that should have all the customer network in your graph above.

Dina Odeh · ‎08-01-2016

To Be more specified, NAT should be like this:

nat (inside,outside) source static HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL NAT_CAMPUS<->CUSTOMER destination static LAN_CUSTOMER LAN_CUSTOMER

Olivier Chambelant · ‎08-01-2016

Hi again.

I confirm that this is the case.

Thanks again.

Olivier.

NAT issue ton VPN