Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2691
Views
5
Helpful
3
Replies

Site-to-Site VPN: Asymmetric NAT rules matched for forward and reverse flows

dedra_live
Level 1
Level 1

‎05-09-2011 09:46 AM

Hello,
We are currently running site-to-site VPN with another customer. Customer has configured VPN on the router and on our side it is the ASA 8.2(4)
We have exposed a public IP on the ASA which is statically natted to a private internal IP for all 'internet' users. The same private IP needs to be accessed by the customer through VPN (i.e. bypassing the public IP).
However, we get to see the following error on our ASA
: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows;
Connection for tcp src outside-INTERNET:172.1.2.50/28996 dst inside-ASA-IPS1:10.1.2.50/80 denied due to NAT reverse path failure
The connection initiated  by the customer reaches our ASA and gives the above error.
However, the customer is able access the private IP other than 10.1.2.50 (an IP which is not defined against any NAT command on the ASA).
Is there any NAT0 to be defined for inbound traffic i.e. from customer to us or anything else to make it go through.
The traffic from us to customer is working without any problem. The issue is only from customer to us.
Please assist.
Thanks.
Labels:
0 Helpful
3 Replies 3

Yudong Wu
Level 7
Level 7

‎05-09-2011 02:04 PM

can you paste all nat/global/static configuration and related ACL if it is used by any NAT?

In general, we use nat 0 to bypass vpn traffic from being nat-ed.

0 Helpful

dedra_live
Level 1
Level 1
In response to Yudong Wu

‎05-09-2011 02:43 PM

Hello,


- show run nat

nat (inside-ASA) 0 access-list inside-ASA_nat0_outbound
nat (inside-ASA) 1 0.0.0.0 0.0.0.0

- show run global


global (outside) 1 interface


- show run static

static (inside-ASA,outside) tcp 80.224.20.10 https 10.1.2.50 https netmask 255.255.255.255

- Related ACL

access-list inside-ASA-nat0_outbound extended permit ip object-group Server_Pool host 172.1.2.50

Server_Pool members are 10.1.2.11 and 10.1.2.12.

10.1.2.50 is the load balancer virtual IP and 10.1.2.11/12 are servers behind it.

The issue I am facing is on the traffic from 172.1.2.50 to 10.1.2.50

Thanks.

0 Helpful

Yudong Wu
Level 7
Level 7
In response to dedra_live

‎05-09-2011 03:39 PM

You just need include the traffic from 10.1.2.50 to 172.1.2.50 into nat 0, so what you need to do is to add 10.1.2.50 into object-group Server_Pool

Customers Also Viewed These Support Documents