Asymmetric NAT rules

Answered Question
Jun 29th, 2010
User Badges:

I'm trying to setup another ipsec VPN group and policy.  So far, I can connect with it, and I can ping the ASA 5505, but nothing else on the inside.  The funny thing is, I've got another group and policy setup that works fine.  I've tried to emulate it but I can't figure out what I'm doing wrong.  I'm getting this error in the log:


Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.4.71.104 dst inside:10.4.70.2 (type 8, code 0) denied due to NAT reverse path failure.


Attached is a network diagram.  Thanks for your help.

Correct Answer by Marcin Latosiewicz about 6 years 9 months ago

Andy,


Yes 8.3 does make a difference


Well I can suggest quite a few ways out of this.


And this is what you need to add ... sort of nat exemption from previous versions.

nat (inside,any) source static obj-10.4.70.0 obj-10.4.70.0 destination static obj-10.4.71.0 obj-10.4.71.0



edit: Corrected IP addresses. if 10.4.70.0/24 is local and 10.4.71 remote you need to add an exemption here.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marcin Latosiewicz Tue, 06/29/2010 - 10:01
User Badges:
  • Cisco Employee,

Andy,


Attach

------

show run nat

sh run global

sh run static

------

(and access-lists mentioned in sh run nat command)


Also tell us which subnets are local and remote (also in case of "working fine" scenario)


Marcin

aboatman2000 Tue, 06/29/2010 - 10:23
User Badges:

Attached is the "show run nat" command's output.  "sh run global" and "sh run static" do not work.  The commands appear to not exist.  I must mention that I am running 8.3(1) on an ASA 5505, if that makes a difference.  10.4.70.0/24 is the subnet on the inside I'm trying to reach.  The VPN pool is using 10.4.71.0/24.  The VPN group that works uses a VPN pool that consists of 10.4.17.248/29. 

Correct Answer
Marcin Latosiewicz Tue, 06/29/2010 - 23:20
User Badges:
  • Cisco Employee,

Andy,


Yes 8.3 does make a difference


Well I can suggest quite a few ways out of this.


And this is what you need to add ... sort of nat exemption from previous versions.

nat (inside,any) source static obj-10.4.70.0 obj-10.4.70.0 destination static obj-10.4.71.0 obj-10.4.71.0



edit: Corrected IP addresses. if 10.4.70.0/24 is local and 10.4.71 remote you need to add an exemption here.

aboatman2000 Wed, 06/30/2010 - 06:35
User Badges:

That's exactly what I needed!  Looking at it now, I should have come up with it on my own.  I'll be sure to remember this in the future.


Thanks so much!

cody.ray Mon, 02/14/2011 - 10:36
User Badges:

Thank you for this post as it helped me as well.


I am running an ASA with 8.4 code.


However, I do have a concern.  I setup a VPN site to site between a Firebox and an ASA using the VPN site to site wizard and a "NAT exception" was not added for the two internal networks to speak to each other.  I had to troubleshoot the Asymmetric errors that were appearing.  Why wouldn't the ASA wizard account for this rule creation?


Thank you.

Marcin Latosiewicz Mon, 02/28/2011 - 00:58
User Badges:
  • Cisco Employee,

Hi,


Well it looks like a possible bug/enhancement in ASDM rathen than ASA, would you be able to open a case with TAC for this?


Marcin

Actions

This Discussion

Related Content