06-29-2010 06:33 AM
I'm trying to setup another ipsec VPN group and policy. So far, I can connect with it, and I can ping the ASA 5505, but nothing else on the inside. The funny thing is, I've got another group and policy setup that works fine. I've tried to emulate it but I can't figure out what I'm doing wrong. I'm getting this error in the log:
Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.4.71.104 dst inside:10.4.70.2 (type 8, code 0) denied due to NAT reverse path failure.
Attached is a network diagram. Thanks for your help.
Solved! Go to Solution.
06-29-2010 11:20 PM
Andy,
Yes 8.3 does make a difference
Well I can suggest quite a few ways out of this.
And this is what you need to add ... sort of nat exemption from previous versions.
nat (inside,any) source static obj-10.4.70.0 obj-10.4.70.0 destination static obj-10.4.71.0 obj-10.4.71.0
edit: Corrected IP addresses. if 10.4.70.0/24 is local and 10.4.71 remote you need to add an exemption here.
06-29-2010 10:01 AM
Andy,
Attach
------
show run nat
sh run global
sh run static
------
(and access-lists mentioned in sh run nat command)
Also tell us which subnets are local and remote (also in case of "working fine" scenario)
Marcin
06-29-2010 10:23 AM
Attached is the "show run nat" command's output. "sh run global" and "sh run static" do not work. The commands appear to not exist. I must mention that I am running 8.3(1) on an ASA 5505, if that makes a difference. 10.4.70.0/24 is the subnet on the inside I'm trying to reach. The VPN pool is using 10.4.71.0/24. The VPN group that works uses a VPN pool that consists of 10.4.17.248/29.
06-29-2010 11:20 PM
Andy,
Yes 8.3 does make a difference
Well I can suggest quite a few ways out of this.
And this is what you need to add ... sort of nat exemption from previous versions.
nat (inside,any) source static obj-10.4.70.0 obj-10.4.70.0 destination static obj-10.4.71.0 obj-10.4.71.0
edit: Corrected IP addresses. if 10.4.70.0/24 is local and 10.4.71 remote you need to add an exemption here.
06-30-2010 06:35 AM
That's exactly what I needed! Looking at it now, I should have come up with it on my own. I'll be sure to remember this in the future.
Thanks so much!
02-14-2011 10:36 AM
Thank you for this post as it helped me as well.
I am running an ASA with 8.4 code.
However, I do have a concern. I setup a VPN site to site between a Firebox and an ASA using the VPN site to site wizard and a "NAT exception" was not added for the two internal networks to speak to each other. I had to troubleshoot the Asymmetric errors that were appearing. Why wouldn't the ASA wizard account for this rule creation?
Thank you.
02-28-2011 12:58 AM
Hi,
Well it looks like a possible bug/enhancement in ASDM rathen than ASA, would you be able to open a case with TAC for this?
Marcin
03-04-2011 11:38 AM
Yes, will do. Thank you.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: