Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
646
Views
0
Helpful
3
Replies

Outside NAT is not working when the traffic is comming via Site to Site tunnel

Hemakumar Sampath
Level 1
Level 1

‎05-08-2015 05:27 AM

Hi All,

 

I have a tunnel established between Site A to Site B, post configuration tunnel was up, however inbound traffic from the other end is not working.

 

I enabled outside Nat in the ASA.

 

Nat (outside) 3 10.77.215.0 255.255.255.128

global (Inside) 3 10.238.214.2

 

This is the error I am getting in the box.

 

May 08 2015 08:02:41 TRV-DAL-CUSTVPN-FW1 : %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src OUTSIDE:10.77.215.80 dst INSIDE:10.240.61.232 (type 8, code 0) denied due to NAT reverse path failure
 

 

 

 

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎05-08-2015 06:21 AM

What do you want to achieve? Do you really have to NAT the tunnel-traffic? If not needed, configuring NAT-Exemption would be the better way.

0 Helpful

Mohammad Alhyari
Cisco Employee
Cisco Employee

‎05-08-2015 11:21 AM

When you define nat for a traffic traversing from a low to high security interface you need to use the outside keyword at the end of the nat statement :

Nat (outside) 3 10.77.215.0 255.255.255.128 outside.

 

Moh.

0 Helpful

Hemakumar Sampath
Level 1
Level 1
In response to Mohammad Alhyari

‎05-13-2015 02:11 AM

Hi Mohammad,

 

I did that but it was affecting other static NATs, when I checked with CISCO TAC they said I need to disable nat control in order to enable it.

0 Helpful
Customers Also Viewed These Support Documents