Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4820
Views
0
Helpful
2
Replies

Can't access machines on different subnets from VPN

Kenny Coleman
Level 1
Level 1

‎01-13-2010 08:22 AM

I already know what you're thinking. Split Tunneling. Split Tunneling has been configured correctly.

Our default vlan is 192.168.3.0/24 and I can ping and access any and everything from the VPN to that subnet.

I have added 192.168.50.0/24 to the split tunneling ACL and routing is setup correctly on the ASA because a "show route" will display all the subnets.

when I try to ping 192.168.50.11 I see this error come up in the debugging log

Asymmetric NAT rules matched for forward and 
reverse flows; Connection for icmp src outside:192.168.5.20 dest inside: 192.168.50.11 (type 8, code 0) denied due to NAT reverse path failure.

I researched the cisco system logs on google and found the following:

305013

Error Message    %PIX|ASA-5-305013: Asymmetric NAT rules matched for forward and 
reverse flows; Connection protocol src interface_name:source_address/source_port 
dest interface_name:dest_address/dest_port denied due to NAT reverse path failure.

Explanation   An attempt to connect to a mapped host using its actual address was rejected.

Recommended Action   When not on the same interface as the host using NAT, use the mapped address  instead of the actual address to connect to the host. In addition, enable the applicable inspect command if the application embeds the IP address.

I'm not exactly sure what I'm supposed to do to allow the traffic from these other subnets to pass. The default vlan works, but no other vlans allow traffic. Thanks in advance!

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Kenny Coleman
Level 1
Level 1

‎01-13-2010 10:17 AM

Problems solved thanks to Nicholas Weaver at http://nickapedia.com/

Had to add the NAT exempt rule from the designated VLANs to the VPN Pool IPs

0 Helpful

Patrick Cameron
Level 1
Level 1
In response to Kenny Coleman

‎10-24-2015 12:53 AM

I know this is an old thread, but thank you! As you can see from the logs below, I had a similar issue. After reading your second reply, I added an exempt rule to the NAT Rules on the ASA and everything is working perfect..I can communicate with the internal lan now. 

 

"Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:VPN_Host10 dst inside:CORE-SW1 (type 8, code 0) denied due to NAT reverse path failure" 

0 Helpful
Customers Also Viewed These Support Documents