remote access vpn stopped working after upgrading to asa8.3.1

Unanswered Question
Oct 14th, 2010
User Badges:

i upgraded from 7.2x to 8.2, and then upgraded to 8.3.1  however, now remote access vpn stopped working.  i read https://supportforums.cisco.com/docs/DOC-12569 already however i am either not understanding that correctly or am not sure how that helps my sitution.


in version 7.2x, i had
access-list CG_nat0_outbound extended permit ip x.x.x.x 255.255.255.x 10.10.x.0 255.255.255.128
access-list SA_nat0_outbound extended permit ip x.x.x.x 255.255.255.x 10.10.x.0 255.255.255.128
access-list CS_nat0_outbound extended permit ip x.x.x.x 255.255.255.x 10.10.x.0 255.255.255.0
nat (CG) 0 access-list CG_nat0_outbound
nat (SA) 0 access-list SA_nat0_outbound
nat (CS) 0 access-list CS_nat0_outbound
......


after upgrading to 8.3.1, the config changed to
nat (CG,Outside) source static obj-x.x.x.x(CG) obj-x.x.x.x(CG) destination static obj-10.10.x.0 obj-10.10.x.0
nat (CG,CS) source static obj-x.x.x.x(CG) obj-x.x.x.x(CG) destination static obj-10.10.x.0 obj-10.10.x.0
nat (CG,SA) source static obj-x.x.x.x(CG) obj-x.x.x.x(CG) destination static obj-10.10.x.0 obj-10.10.x.0
nat (SA,Outside) source static obj-x.x.x.x(SA) obj-x.x.x.x(SA) destination static obj-10.10.x.0 obj-10.10.x.0
nat (SA,CS) source static obj-x.x.x.x(SA) obj-x.x.x.x(SA) destination static obj-10.10.x.0 obj-10.10.x.0
nat (SA,CG) source static obj-x.x.x.x(SA) obj-x.x.x.x(SA) destination static obj-10.10.x.0 obj-10.10.x.0
nat (CS,Outside) source static obj-x.x.x.x(CS) obj-x.x.x.x(CS) destination static obj-10.10.x.0 obj-10.10.x.0
nat (CS,CG) source static obj-x.x.x.x(CS) obj-x.x.x.x(CS) destination static obj-10.10.x.0 obj-10.10.x.0
nat (CS,SA) source static obj-x.x.x.x(CS) obj-x.x.x.x(CS) destination static obj-10.10.x.0 obj-10.10.x.0

......


i am able to ping inside hosts from outside without the VPN, as soon as vpn tunnel is established, i cannot ping the inside hosts anymore.  system would then generate event log %ASA-5-305013:Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src Outside:10.10.x.2 dst CG:x.x.x.x (type 8, code 0) denied due to NAT reverse path failure

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Thu, 10/14/2010 - 12:26
User Badges:
  • Cisco Employee,

You can try to remove these lines

no nat (CG,Outside) source static obj-x.x.x.x(CG) obj-x.x.x.x(CG) destination static obj-10.10.x.0 obj-10.10.x.0
no nat (SA,Outside) source static obj-x.x.x.x(SA) obj-x.x.x.x(SA) destination static obj-10.10.x.0 obj-10.10.x.0
no nat (CS,Outside) source static obj-x.x.x.x(CS) obj-x.x.x.x(CS) destination static obj-10.10.x.0 obj-10.10.x.0


and try to add them with line numbers


nat (CG,Outside) 1 source static obj-x.x.x.x(CG) obj-x.x.x.x(CG) destination static obj-10.10.x.0 obj-10.10.x.0
  nat (SA,Outside) 2 source static obj-x.x.x.x(SA) obj-x.x.x.x(SA) destination static obj-10.10.x.0 obj-10.10.x.0
  nat (CS,Outside) 3 source static obj-x.x.x.x(CS) obj-x.x.x.x(CS) destination static obj-10.10.x.0 obj-10.10.x.0


Let me know. If this doesn't work then we can gather packet-tracer output.


-KS

tachyon05 Fri, 10/15/2010 - 13:38
User Badges:

well, it worked after i disabled those NAT configuration lines.  but i am not sure why.


anyways, i have 10+ sub interfaces, so there are hundreds of NAT lines added by the new 8.3.1.  (i think i only had 20 some NAT lines).  it will take me awhile to disable all of them.


thanks everyone.

Actions

This Discussion