cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1797
Views
0
Helpful
5
Replies

Asymmetric NAT rules matched fo rforward and reverse flows

Rainer Franke
Level 1
Level 1

Hi everybody, i have a problem with a Site-to Site VPN connection between two ASA 5505 (ASA 8.2, ASDM 6.2) and i hope someone can help me. I have build the configuration on both devices (http://cisco.biz/en/US/docs/security/asa/asa82/getting_started/asa5580/quick/guide/sitvpn.html#wp1044213) . Under "Specifying Hosts and Networks / Remote Network" i use not the external ip of remote Site, i use the internal networks ( 10.0.1.0 and 10.0.2.0 ). I need connetion to two remote internal networks ( from 10.0.0.0 to 10.0.1.0 and 10.0.2.0 ). The Tunnel (Phase1 and Phase 2) comes up when i ping a host of the second (10.0.2.x) remote network, but a ping is not possible. Syslog says "Asymmetric NAT rules matched for forward and reverseflows; Connection for icmp src outside: 10.0.0.x dst dmz:10.0.1.x (type8, code 0) denied due to NAT reverse path failure ". On both Sites VPN connetions with Cisco VPN Clients are possible. Thanks to everyone for any ideas and help.

5 Replies 5

Hi,

For the site-to-site tunnel you should avoid NAT for the interesting traffic in both sites.

i.e

Site A internal LAN 10.1.1.0/24

Site B internal LAN 10.1.2.0/24

Site A configuration for NAT:

access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

nat (inside) 0 access-list nonat

Site B configuration for NAT:

access-list nonat permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list nonat

VPN Configuration:

Site A:

access-list vpn permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

Site B:

access-list vpn permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0

The above configuration allows communication between the internal sites on both sides without doing NAT for that traffic.

Is that how you have your configuration?

Federico.

Thanks to all of you. The example of Federico Coto Fajardo: "access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.2.0  255.255.255.0"

has shown me my Problem, thank you very mutch.

Glad I could help.

Please rate the threat if you find it helpful.

Federico.

praprama
Cisco Employee
Cisco Employee

Hi,

Please attach the outputs of "show run nat", "show run global" and "show run static" from both the ASAs?

Regards,

Prapanch

Hi Frederico,

Is the below configuration part of the crypto map ACL

VPN Configuration:

Site A:

access-list vpn permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

Site B:

access-list vpn permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0

I am experiencing this error on Site B ASA when for e.g. Site A inside host initiates a connection to Site B inside host.

How should the NAT0 ACLs in this case be. The 'inside to outside communication' are already defined against NAT0. But I am getting this error for 'outside to inside host communication'.

Please advise.

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: