cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2207
Views
0
Helpful
16
Replies

NAT issue ton VPN

Hello dudes

I have a problem with a VPN.

Here the architecture:

10.91.250.16 <<<<>>>> ASA <<<<>>>> TUNNEL<<<<>>>> CHECKPOINT <<<<>>>> 172.16.8.12

Before to enter in tunnel 10.91.250.16 is nated to 10.10.249.1.

When I try to ping, I get this error message: 

5 Aug 01 2016 11:07:50 305013 10.91.250.16 172.16.8.12 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src inside:10.91.250.16 dst outside:172.16.8.12 (type 8, code 0) denied due to NAT reverse path failure

I'll attach my configuration.

Thanks for your help

1 Accepted Solution

Accepted Solutions

To Be more specified, NAT should be like this: 

nat (inside,outside) source static HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL NAT_CAMPUS<->CUSTOMER destination static LAN_CUSTOMER LAN_CUSTOMER

View solution in original post

16 Replies 16

This is often caused by missing ICMP-inspection. You can add the following config to enable it:

policy-map global_policy
 class inspection_default
  inspect icmp

Hello Karsten Iwen

Thanks for your reply.

Unfortunately, the problem remains. 

I've made a packet-tracer:

packet-tracer input inside icmp 10.91.250.16 0 0 172.16.8.12
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 88.164.214.254 using egress ifc outside
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL
nat (inside,outside) static NAT_CAMPUS<->CUSTOMER
Additional Information:
Static translate 10.91.250.16/0 to 10.10.249.1/0
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_any
nat (any,inside) dynamic interface
Additional Information:
Result:
output-interface: outside
output-status: up
output-line-status: up
Action: drop

ok, what do you want to achieve with the following NAT-rule? Is that really what you want?

object network obj_any
 nat (any,inside) dynamic interface

If you wanted to add the dynamic NAT for all outgoing traffic, the interface is wrong. Then you could configure it as following and remove the above statement:

nat (any,outside) after-auto source dynamic any interface

Hey,

Thanks both of you.

To make it easier, here the architecture

With my computer (10.91.250.16) I want to reach all listed subnets in customer LAN.

In my firewall, my IP address is nated to 10.10.249.1 /32.

But, when I try to ping, i get that:

5 Aug 01 2016 11:07:50 305013 10.91.250.16 172.16.8.12

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src inside:10.91.250.16 dst outside:172.16.8.12 (type 8, code 0) denied due to NAT reverse path failure

Thanks for help :)

Okay fine. 

Create an object-group that should contain all the destination network "remote network". Then add the static NAT : 

nat (inside,outside) source static HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL NAT_CAMPUS<->CUSTOMER destination static destination_obj destination_obj 

Let us know if this will help 

Hello Dina Odeh,

Thanks for you reply but it's not working. Same issue :'(

5 Aug 01 2016 15:06:59 305013 10.91.250.16 172.16.8.12 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src inside:10.91.250.16 dst outside:172.16.8.12 (type 8, code 0) denied due to NAT reverse path failure

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 88.164.214.254 using egress ifc outside
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_any
nat (any,inside) dynamic interface
Additional Information:
Result:
output-interface: outside
output-status: up
output-line-status: up
Action: drop

Best regards.

Olivier.

Hi Oliver, 

Send me please "show run nat" and this output: 

"packet-tracer input inside icmp 10.91.250.16 8 0 172.16.8.12 det" 

nat (inside,outside) source static HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL destination static LAN_CUSTOMER NAT_CAMPUS<->CUSTOMER
!
object network obj_any
nat (any,inside) dynamic interface
!
nat (MANAGEMENT,outside) after-auto source dynamic any interface

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 88.164.214.254 using egress ifc outside
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac04fedd0, priority=0, domain=nat-per-session, deny=true
hits=890438, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac0fba920, priority=0, domain=inspect-ip-options, deny=true
hits=51627, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac1c6ee80, priority=70, domain=inspect-icmp, deny=false
hits=2500, user_data=0x2aaac2d393e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac0fba130, priority=66, domain=inspect-icmp-error, deny=false
hits=5906, user_data=0x2aaac0fb96a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac1c79750, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=3481, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_any
nat (any,inside) dynamic interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaac10cd210, priority=6, domain=nat-reverse, deny=false
hits=3636, user_data=0x2aaac10cb390, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Result:
output-interface: outside
output-status: up
output-line-status: up
Action: drop

Thanks for you help.

Best regards,

Olivier Chambelant

Oliver, 

You put an incorrect NAT, not the one we mentioned above. 

NAT should be like this: 

nat (inside,outside) source static HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL NAT_CAMPUS<->CUSTOMER destination static destination_obj destination_obj 

Destination_obj --- Is an object group that should have all the customer network in your graph above. 

To Be more specified, NAT should be like this: 

nat (inside,outside) source static HOST_CAMPUS_LISSES_SERVEURS_ERPVIRTUEL NAT_CAMPUS<->CUSTOMER destination static LAN_CUSTOMER LAN_CUSTOMER

Hi again.

I confirm that this is the case.

Thanks again.

Olivier.

Nice. 

You are welcome !!

Hey,

Sorry, but I still can't access to my CUSTOMER LAN :'(

Best regards.

Olivier.

Hello Olivier,

The RPF Check failure happens when a NAT rule is hit when traffic is going out, and a different NAT rule is hit when traffic is coming back in.

To try and avoid this configure the NAT rule on a higher sequence number for it to be taking precedence. Also add the route-lookup at the end of the command to make sure the path follows the nat rules based on the routing table (since the dynamic nat is configured (any,outside) it is normally used to make sure the nat rule is applied correctly).

Also check if there is a xlate entry "stuck" performing the dynamic nat.

you may "clear xlate local [local ip address]" if there is a conflicting xlate.

The example of the nat rule is:

nat (inside,outside) 1 source static HOST_SOLUTYS_LISSES_SERV EURS_SAGEVIRTUEL NAT_SOLUTYS<->SAMSE destination static LAN_SAMSE LAN_SAMSE no-proxy-arp route-lookup