ASA5505 SSL AnyConnect VPN & NAT Reverse Path Failure

Answered Question
Jan 27th, 2010

I've been working on this for a while and just haven't come up with a solution yet.

I have a Cisco ASA5505 setup at home and I am trying to use the AnyConnect client to VPN to it.  I've followed the ASA 8.x Split-Tunnel example but I am still missing something.

My home network is 10.170.x.x and I've setup the VPN address pool to be 10.170.13.x  I have a running Windows workstation at 10.170.0.6, printers at 10.170.0.20 and 21 and the inside of the router itself is 10.170.0.1

I can connect from the outside and am assigned an IP address of 10.170.13.10 but when I try to access any LAN resources via ICMP or opening a web page, the ASDM log shows a bunch of this:

5|Jan 27 2010|10:33:37|305013|10.170.255.255|137|||Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 denied due to NAT reverse path failure
5|Jan 27 2010|10:33:36|305013|10.170.255.255|137|||Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 denied due to NAT reverse path failure
5|Jan 27 2010|10:33:35|305013|10.170.255.255|137|||Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 denied due to NAT reverse path failure
5|Jan 27 2010|10:33:34|305013|10.170.0.6||||Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.170.13.10 dst inside:10.170.0.6 (type 8, code 0) denied due to NAT reverse path failure
5|Jan 27 2010|10:33:30|305013|10.170.255.255|137|||Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 denied due to NAT reverse path failure
5|Jan 27 2010|10:33:29|305013|10.170.255.255|137|||Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 denied due to NAT reverse path failure
5|Jan 27 2010|10:33:28|305013|10.170.255.255|137|||Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 denied due to NAT reverse path failure
5|Jan 27 2010|10:33:28|305013|10.170.0.6||||Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.170.13.10 dst inside:10.170.0.6 (type 8, code 0) denied due to NAT reverse path failure
5|Jan 27 2010|10:33:23|305013|10.170.0.6||||Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.170.13.10 dst inside:10.170.0.6 (type 8, code 0) denied due to NAT reverse path failure
5|Jan 27 2010|10:33:17|305013|10.170.0.6||||Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.170.13.10 dst inside:10.170.0.6 (type 8, code 0) denied due to NAT reverse path failure
5|Jan 27 2010|10:33:13|305013|10.170.0.6||||Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.170.13.10 dst inside:10.170.0.6 (type 8, code 0) denied due to NAT reverse path failure
5|Jan 27 2010|10:33:07|305013|10.170.0.6||||Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.170.13.10 dst inside:10.170.0.6 (type 8, code 0) denied due to NAT reverse path failure

I've tried several things with NAT but haven't been able to get past this.  Would someone mind looking at my running config and helping me out with this?  Thanks a bunch!

-Tim

I have this problem too.
0 votes
Correct Answer by nsn-amagruder about 6 years 10 months ago

Couple things to check.

name 10.17.13.0 UFP-VPN-Pool  looks like it should be name 10.170.13.0 UFP-VPN-Pool

access-list inside_nat0_outbound extended permit ip Zero-List 255.255.0.0 UFP-VPN-Pool 255.255.255.0

looks like it should be

access-list inside_nat0_outbound extended permit ip Zero-List 255.255.255.0 UFP-VPN-Pool 255.255.255.0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
nsn-amagruder Wed, 01/27/2010 - 08:57

Couple things to check.

name 10.17.13.0 UFP-VPN-Pool  looks like it should be name 10.170.13.0 UFP-VPN-Pool

access-list inside_nat0_outbound extended permit ip Zero-List 255.255.0.0 UFP-VPN-Pool 255.255.255.0

looks like it should be

access-list inside_nat0_outbound extended permit ip Zero-List 255.255.255.0 UFP-VPN-Pool 255.255.255.0

Timothy Garay Wed, 01/27/2010 - 11:05

  Ugh!  I can't believe I missed that (10.17 instead of 10.170).

Changed it and it worked just fine.  Duh!

Thanks so much for catching that!

-Tim

james.bastnagel Wed, 01/27/2010 - 09:06

Tim

I just set this up on my new 5510 the other day and ran into the same issue.

Not terribly sure if this will fix it, but this is how I would do it to

clean it up just a tad:

no access-list inside_nat0_outbound extended permit ip Zero-List 255.255.0.0

UFP-VPN-Pool 255.255.255.0

access-list inside_nat0_outbound permit ip 10.170.0.0 255.255.0.0 10.170.0.0

255.255.0.0

no access-list split-tunnel standard permit Zero-List 255.255.255.0

access-list split-tunnel standard permit 10.170.0.0 255.255.0.0

no nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside) 1 access-list split-tunnel

Let me know the results of that and I can send you a copy of my config to

compare to if that doesnt work. There are also a lot of good resolutions to

common remote access issues at this link:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807...

James

On Wed, Jan 27, 2010 at 8:40 AM, timothy.garay <

Timothy Garay Wed, 01/27/2010 - 11:08

Thanks for the info.  At the moment, it looks like the lack of a "0" was the culprit.

I downloaded that PDF in case something else crops up.

-Tim

james.bastnagel wrote:

Tim

I just set this up on my new 5510 the other day and ran into the same issue.

Not terribly sure if this will fix it, but this is how I would do it to

clean it up just a tad:

no access-list inside_nat0_outbound extended permit ip Zero-List 255.255.0.0

UFP-VPN-Pool 255.255.255.0

access-list inside_nat0_outbound permit ip 10.170.0.0 255.255.0.0 10.170.0.0

255.255.0.0

no access-list split-tunnel standard permit Zero-List 255.255.255.0

access-list split-tunnel standard permit 10.170.0.0 255.255.0.0

no nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside) 1 access-list split-tunnel

Let me know the results of that and I can send you a copy of my config to

compare to if that doesnt work. There are also a lot of good resolutions to

common remote access issues at this link:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

James

On Wed, Jan 27, 2010 at 8:40 AM, timothy.garay <

Actions

This Discussion

Related Content