Solved: Asymmetric NAT rules

aboatman2000 · ‎06-29-2010

I'm trying to setup another ipsec VPN group and policy. So far, I can connect with it, and I can ping the ASA 5505, but nothing else on the inside. The funny thing is, I've got another group and policy setup that works fine. I've tried to emulate it but I can't figure out what I'm doing wrong. I'm getting this error in the log:

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.4.71.104 dst inside:10.4.70.2 (type 8, code 0) denied due to NAT reverse path failure.

Attached is a network diagram. Thanks for your help.

Marcin Latosiewicz · ‎06-29-2010

Andy,

Yes 8.3 does make a difference

Well I can suggest quite a few ways out of this.

And this is what you need to add ... sort of nat exemption from previous versions.

nat (inside,any) source static obj-10.4.70.0 obj-10.4.70.0 destination static obj-10.4.71.0 obj-10.4.71.0

edit: Corrected IP addresses. if 10.4.70.0/24 is local and 10.4.71 remote you need to add an exemption here.

View solution in original post

Marcin Latosiewicz · ‎06-29-2010

Andy,

Attach

------

show run nat

sh run global

sh run static

------

(and access-lists mentioned in sh run nat command)

Also tell us which subnets are local and remote (also in case of "working fine" scenario)

Marcin

aboatman2000 · ‎06-29-2010

Attached is the "show run nat" command's output. "sh run global" and "sh run static" do not work. The commands appear to not exist. I must mention that I am running 8.3(1) on an ASA 5505, if that makes a difference. 10.4.70.0/24 is the subnet on the inside I'm trying to reach. The VPN pool is using 10.4.71.0/24. The VPN group that works uses a VPN pool that consists of 10.4.17.248/29.

Marcin Latosiewicz · ‎06-29-2010

Andy,

Yes 8.3 does make a difference

Well I can suggest quite a few ways out of this.

And this is what you need to add ... sort of nat exemption from previous versions.

nat (inside,any) source static obj-10.4.70.0 obj-10.4.70.0 destination static obj-10.4.71.0 obj-10.4.71.0

edit: Corrected IP addresses. if 10.4.70.0/24 is local and 10.4.71 remote you need to add an exemption here.

aboatman2000 · ‎06-30-2010

That's exactly what I needed! Looking at it now, I should have come up with it on my own. I'll be sure to remember this in the future.

Thanks so much!

cody.ray · ‎02-14-2011

Thank you for this post as it helped me as well.

I am running an ASA with 8.4 code.

However, I do have a concern. I setup a VPN site to site between a Firebox and an ASA using the VPN site to site wizard and a "NAT exception" was not added for the two internal networks to speak to each other. I had to troubleshoot the Asymmetric errors that were appearing. Why wouldn't the ASA wizard account for this rule creation?

Thank you.

Marcin Latosiewicz · ‎02-28-2011

Hi,

Well it looks like a possible bug/enhancement in ASDM rathen than ASA, would you be able to open a case with TAC for this?

Marcin

cody.ray · ‎03-04-2011

Yes, will do. Thank you.