Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
364
Views
0
Helpful
1
Replies

NAT reverse path failure over IPsec VPN

bradfarrell01
Level 1
Level 1

‎04-08-2015 04:36 PM - edited ‎02-21-2020 08:10 PM

Trying to set up a site-to-site IPsec VPN to a remote pharmacy we just purchased. The tunnel is up and most traffic goes through just fine but when trying to access one of our servers traffic is either very slow or times out completely, and I get the following showing up in the syslog:

 

NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.0.0.2 dst inside:10.0.0.30 (type 3, code 4) denied due to NAT reverse path failure

 

Pretty new to working with ASAs. Any help would be much appreciated.

 

show running-config:

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.2 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.1.10.2 255.255.255.0
!
boot system disk0:/asa824-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group network Internal
 network-object 10.0.0.0 255.255.255.0
 network-object Seattle 255.255.255.0
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended permit tcp any any eq pop3
access-list outside_access_in extended permit tcp any any eq pptp
access-list outside_access_in extended permit tcp any any eq ftp inactive
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp any any eq imap4
access-list outside_access_in extended permit tcp any any eq 1280
access-list outside_access_in extended permit ip 192.168.250.0 255.255.255.0 any
access-list outside_access_in extended permit ip host 24.234.184.180 any
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group Internal 10.0.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.252.0 192.168.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.250.0 255.255.255.0

 

 

show crypto isa sa:

 Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 24.234.184.180
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
Bham# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 2, local addr: 10.1.10.2

      access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.250.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.250.0/255.255.255.0/0/0)
      current_peer: 24.234.184.180

      #pkts encaps: 56, #pkts encrypt: 56, #pkts digest: 56
      #pkts decaps: 56, #pkts decrypt: 56, #pkts verify: 56
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 56, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.1.10.2/4500, remote crypto endpt.: 24.234.184.180/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: CA2A7497
      current inbound spi : 5F60C0A2

    inbound esp sas:
      spi: 0x5F60C0A2 (1600176290)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 1, }
         slot: 0, conn_id: 65536, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373996/2022)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x01FFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xCA2A7497 (3391779991)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 1, }
         slot: 0, conn_id: 65536, crypto-map: outside_map
        sa timing: remaining key lifetime (kB/sec): (4373996/2020)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

 

show nat:


NAT policies on Interface inside:
  match ip inside 10.0.0.0 255.255.255.0 inside 10.0.4.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.0.1.0 255.255.255.0 inside 10.0.4.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.0.0.0 255.255.255.0 inside 10.0.4.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside Seattle 255.255.255.0 inside 10.0.4.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.0.0.0 255.255.252.0 inside 192.168.250.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 1
  match ip inside 10.0.0.0 255.255.255.0 inside 192.168.250.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.0.1.0 255.255.255.0 inside 192.168.250.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.0.0.0 255.255.255.0 outside 10.0.4.0 255.255.255.0
    NAT exempt
    translate_hits = 6560, untranslate_hits = 0
  match ip inside 10.0.1.0 255.255.255.0 outside 10.0.4.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.0.0.0 255.255.255.0 outside 10.0.4.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside Seattle 255.255.255.0 outside 10.0.4.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.0.0.0 255.255.252.0 outside 192.168.250.0 255.255.255.0
    NAT exempt
    translate_hits = 135, untranslate_hits = 310
  match ip inside 10.0.0.0 255.255.255.0 outside 192.168.250.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.0.1.0 255.255.255.0 outside 192.168.250.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.0.0.0 255.255.255.0 _internal_loopback 10.0.4.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.0.1.0 255.255.255.0 _internal_loopback 10.0.4.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.0.0.0 255.255.255.0 _internal_loopback 10.0.4.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside Seattle 255.255.255.0 _internal_loopback 10.0.4.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.0.0.0 255.255.252.0 _internal_loopback 192.168.250.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.0.0.0 255.255.255.0 _internal_loopback 192.168.250.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.0.1.0 255.255.255.0 _internal_loopback 192.168.250.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match tcp inside host ISA eq 1723 outside any
    static translation to 10.1.10.2/1723
    translate_hits = 2, untranslate_hits = 48
  match tcp inside host ISA eq 80 outside any
    static translation to 10.1.10.2/80
    translate_hits = 2, untranslate_hits = 176
  match tcp inside host crx04 eq 110 outside any
    static translation to 10.1.10.2/110
    translate_hits = 246, untranslate_hits = 26677
  match tcp inside host crx04 eq 443 outside any
    static translation to 10.1.10.2/443
    translate_hits = 750, untranslate_hits = 9931
  match tcp inside host crx04 eq 25 outside any
    static translation to 10.1.10.2/25
    translate_hits = 384, untranslate_hits = 4784
  match tcp inside host crx04 eq 143 outside any
    static translation to 10.1.10.2/143
    translate_hits = 0, untranslate_hits = 395
  match tcp inside host Web eq 21 outside any
    static translation to 10.1.10.2/21
    translate_hits = 0, untranslate_hits = 19
  match tcp inside host QS1_LDM eq 1280 outside any
    static translation to 10.1.10.2/1280
    translate_hits = 0, untranslate_hits = 0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 1, untranslate_hits = 0
  match ip inside any outside any
    dynamic translation to pool 1 (10.1.10.2 [Interface PAT])
    translate_hits = 281605, untranslate_hits = 37842
  match ip inside any _internal_loopback any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0

 

Labels:
0 Helpful
1 Reply 1

rizwanr74
Level 7
Level 7

‎04-08-2015 06:52 PM

If you post whole config, it would be easier to trouble shoot.

 

0 Helpful
Customers Also Viewed These Support Documents