%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection denied due to NAT reverse path failure. VPN client issues after 8.3.2 upgrade.

Answered Question
Aug 26th, 2010

I recently upgraded to 8.3.2 and I was aware of the NAT changes but even after reading https://supportforums.cisco.com/docs/DOC-12569 I'm still unable to rectify VPN network 192.168.100.0 communication with hosts on 172.16.1.0 and 172.16.9.0. The VPN clients connect from the outside interface and I'm trying to ping hosts on the inside and dmz, 172.16.1.0 and 172.16.9.0 respectably. The VPN client shows the two previously mentioned networks as security routes but still not pong to the ping.

# sh nat

Manual NAT Policies (Section 1)

1 (inside) to (any) source static obj-172.16.9.0 obj-172.16.9.0 destination static obj-192.168.100.0 obj-192.168.100.0 unidirectional

    translate_hits = 0, untranslate_hits = 0

2 (inside) to (any) source static obj-172.16.1.0 obj-172.16.1.0 destination static obj-192.168.100.0 obj-192.168.100.0 unidirectional

    translate_hits = 0, untranslate_hits = 0

3 (inside) to (any) source static obj-172.16.1.0 obj-172.16.1.0 destination static obj-172.16.12.0 obj-172.16.12.0 unidirectional

    translate_hits = 0, untranslate_hits = 0

4 (dmz) to (outside) source static obj-172.16.9.0 obj-172.16.9.0 destination static obj-192.168.100.0 obj-192.168.100.0 unidirectional

    translate_hits = 0, untranslate_hits = 0

5 (dmz) to (outside) source static obj-172.16.9.0 obj-172.16.9.0 destination static obj-172.16.12.0 obj-172.16.12.0 unidirectional

    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (dmz) to (outside) source static obj-172.16.9.5 interface service tcp www www

    translate_hits = 0, untranslate_hits = 142

2 (dmz) to (outside) source static obj-172.16.9.5-01 interface service tcp 3389 3389

    translate_hits = 0, untranslate_hits = 2

3 (dmz) to (outside) source static obj-172.16.9.5-02 interface service tcp ldap ldap

    translate_hits = 0, untranslate_hits = 0

4 (dmz) to (outside) source static obj-172.16.9.5-03 interface service tcp ftp ftp

    translate_hits = 0, untranslate_hits = 0

5 (dmz) to (outside) source static obj-172.16.9.5-04 interface service tcp smtp smtp

    translate_hits = 0, untranslate_hits = 267

6 (dmz) to (inside) source static obj-172.16.9.0 172.16.9.0

    translate_hits = 4070, untranslate_hits = 224

7 (inside) to (dmz) source static obj-10.1.0.0 10.1.0.0

    translate_hits = 0, untranslate_hits = 0

8 (inside) to (dmz) source static obj-172.16.0.0 172.16.0.0

    translate_hits = 152, untranslate_hits = 4082

9 (dmz) to (outside) source dynamic obj-172.16.9.0-01 interface

    translate_hits = 69, untranslate_hits = 0

10 (inside) to (outside) source dynamic obj_any interface

    translate_hits = 196, untranslate_hits = 32

I have this problem too.
0 votes
Correct Answer by praprama about 3 years 7 months ago

Hi,

Have you tried removing the "unidirectional" keywords in line 2 and line 4? That is, the 2 commands should look like below:

nat (inside,outside) source static obj-172.16.1.0 obj-172.16.1.0  destination static obj-192.168.100.0 obj-192.168.100.0

nat (dmz,outside) source static obj-172.16.9.0 obj-172.16.9.0  destination static obj-192.168.100.0 obj-192.168.100.0

Hope this helps. Try this out and let me know if it works.

Regards,

Prapanch

Correct Answer by kwu2 about 3 years 7 months ago

I think you need the following two NAT config

nat (inside,outside) source static obj-172.16.1.0 obj-172.16.1.0 destination static obj-192.168.100.0 obj-192.168.100.0
nat (dmz,outside) source static obj-172.16.9.0 obj-172.16.9.0 destination static obj-192.168.100.0 obj-192.168.100.0

Please configure them and remove any extra NAT configuration, and then try it again.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (4 ratings)
Correct Answer
kwu2 Thu, 08/26/2010 - 22:53

I think you need the following two NAT config

nat (inside,outside) source static obj-172.16.1.0 obj-172.16.1.0 destination static obj-192.168.100.0 obj-192.168.100.0
nat (dmz,outside) source static obj-172.16.9.0 obj-172.16.9.0 destination static obj-192.168.100.0 obj-192.168.100.0

Please configure them and remove any extra NAT configuration, and then try it again.

Vindemiatrix Fri, 08/27/2010 - 05:34

I already had line four as you suggested but modified line two and still no go. Any other recommendations?

nat (inside,any) source static obj-172.16.9.0 obj-172.16.9.0 destination static obj-192.168.100.0 obj-192.168.100.0 unidirectional
nat (inside,outside) source static obj-172.16.1.0 obj-172.16.1.0 destination static obj-192.168.100.0 obj-192.168.100.0 unidirectional
nat (inside,any) source static obj-172.16.1.0 obj-172.16.1.0 destination static obj-172.16.12.0 obj-172.16.12.0 unidirectional
nat (dmz,outside) source static obj-172.16.9.0 obj-172.16.9.0 destination static obj-192.168.100.0 obj-192.168.100.0 unidirectional
nat (dmz,outside) source static obj-172.16.9.0 obj-172.16.9.0 destination static obj-172.16.12.0 obj-172.16.12.0 unidirectional
!
object network obj-172.16.0.0
nat (inside,dmz) static 172.16.0.0
object network obj-10.1.0.0
nat (inside,dmz) static 10.1.0.0
object network obj_any
nat (inside,outside) dynamic interface
object network obj-172.16.9.0
nat (dmz,inside) static 172.16.9.0
object network obj-172.16.9.5
nat (dmz,outside) static interface service tcp www www
object network obj-172.16.9.5-01
nat (dmz,outside) static interface service tcp 3389 3389
object network obj-172.16.9.5-02
nat (dmz,outside) static interface service tcp ldap ldap
object network obj-172.16.9.5-03
nat (dmz,outside) static interface service tcp ftp ftp
object network obj-172.16.9.5-04
nat (dmz,outside) static interface service tcp smtp smtp
object network obj-172.16.9.0-01
nat (dmz,outside) dynamic interface
access-group OUT_IN in interface outside
access-group DMZ in interface dmz

Correct Answer
praprama Fri, 08/27/2010 - 08:46

Hi,

Have you tried removing the "unidirectional" keywords in line 2 and line 4? That is, the 2 commands should look like below:

nat (inside,outside) source static obj-172.16.1.0 obj-172.16.1.0  destination static obj-192.168.100.0 obj-192.168.100.0

nat (dmz,outside) source static obj-172.16.9.0 obj-172.16.9.0  destination static obj-192.168.100.0 obj-192.168.100.0

Hope this helps. Try this out and let me know if it works.

Regards,

Prapanch

Vindemiatrix Fri, 08/27/2010 - 09:01

That did the trick. What does the unidirectional statement at the end imply, only one direction? What would someone use that for.

praprama Fri, 08/27/2010 - 09:08

Yes that's exactly what it means. Just in one direction. Well i am not aware of exact scenarios but i am sure some do exist. But as the document you referred to explains,  the reason why the migration to 8.3(2) adds it automatically is due to a previously known bug. Anyway great that it worked.

Thanks and Regards,

Prapanch

kwu2 Fri, 08/27/2010 - 09:48

So, you did not see the difference between the NAT commands which I suggested and your existing NAT commands.

Vindemiatrix Fri, 08/27/2010 - 09:53

Somehow that one went right by me :-) but yes, your orginal response would also appear to be correct. It was late when I tried it so I probably forgot to remove the unidirectional portion I also have marked your reponse a correct.

Actions

Login or Register to take actions

This Discussion

Posted August 26, 2010 at 8:42 PM
Stats:
Replies:8 Avg. Rating:5
Views:9158 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard