Solved: RemoteAccess & NAT config in asa8.3

Nemesis1337 · ‎11-25-2010

I have setup a small lan at 192.168.30.x and configured anytime clients on 192.168.31.x, also when i get this to work i will have a remote network over a ipsec tunnel at 192.168.1.x, I want 30.x ips nated when accessing internet (31.x, 1.x don't need internet). I haven't used nat in cisco switches before so i'm a bit lost,

object network Net30
range 192.168.30.5 192.168.30.36

object network Net30
nat (inside,outside) dynamic interface

This is what i have placed in my config to nat 30.x, but when i did 31.x ip's stopped working, and "Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.31.11 dst inside:192.168.30.5 (type 8, code 0) denied due to NAT reverse path failure" turns up in the log files , i have tried a few different setups and also tried to find config examples on the net, but they are mostly for pre asa8.3, please help, full config attached (brbly with a few junk lines from many hours of fiddling)

Jennifer Halim · ‎11-25-2010

On top of the NAT that you already configured, you also need the following NAT exemption:

object network obj-192.168.31.0

subnet 192.168.31.0 255.255.255.0

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network obj-192.168.30.0

subnet 192.168.30.0 255.255.255.0

nat (inside,outside) source static obj-192.168.30.0 obj-192.168.30.0 destination static obj-192.168.31.0 obj-192.168.31.0

nat (inside,outside) source static obj-192.168.30.0 obj-192.168.30.0 destination static obj-192.168.1.0 obj-192.168.1.0

And of course "clear xlate" after the above changes.

Hope that helps.

View solution in original post

Jennifer Halim · ‎11-25-2010