Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1269
Views
5
Helpful
4
Replies

Site-2-site Vpn 8.25(33) NAT reverse path failure.

dmooreami
Level 3
Level 3

‎09-23-2012 12:19 PM

Have a simple site-to-site tunnel setup. AES-128, SHA, Diffie 5.  Intresting traffic is 10.122.20.0/24, 10.194.20.0/24. Used the vpn wizard to setup on both ASA 5510's running 8.25(33) code. 

I can ping and traceroute down the tunnels, but I can't get two hosts  10.122.20.215 and 10.194.20.215 down the tunnel.

Errors in ASA B that sits on the 10.194 network is:

Asymmetric NAT rules matched for forward and reverse flows;

Connection for tcp src inside:10.194.20.161/38972 dst inside:10.122.20.161/80 denied due to NAT reverse path failure

I also had to add to both ASA's:

ip verify reverse-path interface inside

What in the world is going on here with this 8.2.5(33) code?  With 8.0.5, fire up the vpn site-to-site wizard, put the Outside Internet interfaces, define the "allowed intresting traffic across the tunnel", set up encryption phase1 and phase 2 and done. None of his "Ass Nat Rule" error, or needing "reverse-path" statements.

Suggestions?

I saw somewhere mentioned that your networks or was it hosts also needed to be defined in NAT0?

Huh, if that is the case why doesn't the Vpn Wizard do this.  I am running 8.2x(xx) code, not 8.3x.

This is my first time doing site-to-site Ipsec tunnels with 8.2 code.

In the past it has been 8.0.5 to 8.0.5 tunnel or an 8.2.x to 8.0.5 tunnels . Nevery had any of these issues before.

Thanks


Labels:
0 Helpful
4 Replies 4

Harish Balakrishnan
Spotlight
Spotlight

‎09-25-2012 11:25 PM

Hello

Can you post the ASA configuration ?

regards

Harish

0 Helpful

srikanth ath
Level 4
Level 4
In response to Harish Balakrishnan

‎09-26-2012 01:49 AM

Hello,

Mostly this would be nat issues.I think we need below output, Please post below on both firewalls.

  "show run nat", "show run static" and "show run global

Regards

srikanth

0 Helpful

dmooreami
Level 3
Level 3
In response to srikanth ath

‎09-26-2012 12:06 PM

Looks like I have asymetrical routing being done on a router configed by a vendor causing the issue. .

I need to correct this and I think my problem will go away. Firewall knew about it before they did.   I will update if this was indeed the case. Might be a couple weeks before I get maint. window .

Javier Portuguez
Level 9
Level 9
In response to dmooreami

‎09-26-2012 01:25 PM

I would suggest to check the routing issue and get back to us in case you would need further assistance.

For now, please feel free to mark this post as answered and rate the any helpful posts.

Thanks.

Portu

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents