Solved: Re: ASA reports asymmetric NAT for VPN client outside NAT - Page 2

tgrundbacher · ‎08-27-2010

I'm starting to become desperate on this one...

I have an ASA running 8.2(3) code where IPSec VPN client profiles are configured. The requirement is that the VPN client source IP's must be translated when they want to reach Server 10.237.214.151 on interface 'Swisscom' (the server is some hops away).

VPN pool range: 192.168.44.0 /24.

Translated IP for VPN pool range: 10.25.125.9 /32.

I've set up outside NAT on the outside interface and the respective global on the Swisscom interface, yet the ASA complains about asymmetric translation:

"Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.44.3/3183 dst Swisscom:10.237.214.151/21 denied due to NAT reverse path failure"

Am I missing something? I suspect that the ASA won't match the translated IP for the return traffic and expects a match for the real IP of the VPN pool, even though outside NAT should be working...

Help is very much appreciated!!

Regards

Toni

Here's a part of the relevant config:

ASA Version 8.2(3)
!
hostname iconfw
names
name 172.20.66.0 icon_network
name 10.49.28.0 infnet_10.49.28.0
name 10.50.242.0 infnet_10.50.242.0
name 10.50.244.0 infnet_10.50.244.0
name 172.20.66.22 offside-server
name 172.20.66.10 sun1
name 172.20.66.20 syslog-server
name 192.168.44.0 vpn-clients
name 10.49.49.0 infnet_10.49.49.0 description Hanspeters PC
name 10.50.65.0 infnet_10.50.65.0 description Hanspeter Poststrasse
name 172.20.66.8 SVN description SVN Server
name 10.57.0.0 infnet_10.57.0.0 description DHCP Bereich von Hampi-Laptop
name 10.58.0.0 infnet_10.58.0.0 description Hanspeter Laptop
name 10.237.0.0 infnet_10.237.0.0 description New NOVIS-DBs
name 192.168.45.0 test_net
name 10.25.125.3 nat_sun4_server
name 10.25.125.4 nat_svn_server
name 10.25.125.5 nat_vss_server
name 172.20.66.6 sun4
!
interface Ethernet0/0
nameif outside
security-level 0
ip address pppoe setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.20.66.1 255.255.255.224
!
interface Ethernet0/2
nameif Infnet
security-level 80
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/3
nameif Swisscom
security-level 50
ip address 10.25.125.2 255.255.255.240
!
object-group network Infnet_all_networks
network-object infnet_10.50.242.0 255.255.255.0
network-object infnet_10.50.244.0 255.255.255.0
network-object infnet_10.49.49.0 255.255.255.0
network-object infnet_10.50.65.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object infnet_10.49.28.0 255.255.255.0
network-object infnet_10.58.0.0 255.255.0.0
network-object infnet_10.57.0.0 255.255.0.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network Swisscom_gin
network-object host 10.237.214.151
network-object host 10.237.46.151
network-object host 10.237.46.51
object-group service DM_INLINE_TCP_1 tcp
port-object eq sqlnet
port-object eq ssh
access-list inside_access_in extended permit udp icon_network 255.255.255.224 any eq domain
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 8080
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq rtsp
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 7070
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq domain
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq smtp
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq pop3
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq www
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 7670
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq nntp
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 8443
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq https
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq ssh
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq ftp
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 993
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 995
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 465
access-list inside_access_in extended permit icmp icon_network 255.255.255.224 any
access-list inside_access_in extended permit ip icon_network 255.255.255.224 object-group Infnet_all_networks
access-list inside_access_in extended permit ip icon_network 255.255.255.224 object-group Swisscom_gin
access-list inside_access_in extended deny ip any any
access-list Infnet_access_in extended permit tcp object-group Infnet_all_networks host offside-server eq 8890
access-list Infnet_access_in extended permit tcp object-group Infnet_all_networks host offside-server eq www
access-list Infnet_access_in extended permit icmp object-group Infnet_all_networks host offside-server
access-list Infnet_access_in extended permit tcp object-group Infnet_all_networks host SVN eq www
access-list Infnet_access_in extended permit tcp object-group Infnet_all_networks host SVN eq https
access-list Infnet_access_in extended permit tcp object-group Infnet_all_networks host sun1 eq sqlnet
access-list Infnet_access_in extended deny ip any any
access-list outside_access_in remark from home to new swisscom
access-list outside_access_in extended permit tcp vpn-clients 255.255.255.0 infnet_10.237.0.0 255.255.0.0 object-group DM_INLINE_TCP_1
access-list outside_access_in extended deny ip any any
access-list nonat-inside extended permit ip icon_network 255.255.255.224 object-group Infnet_all_networks
access-list nonat-inside extended permit ip icon_network 255.255.255.224 vpn-clients 255.255.255.0
access-list outside_nat_outbound extended permit ip vpn-clients 255.255.255.0 object-group Infnet_all_networks
access-list Infnet_nat0_outbound extended permit ip any any
access-list management_access_in extended deny ip any any
access-list inside_nat_outbound extended permit ip icon_network 255.255.255.224 object-group Swisscom_gin
access-list Swisscom_access_in extended permit tcp object-group Infnet_all_networks host nat_sun4_server eq sqlnet
access-list Swisscom_access_in extended permit tcp object-group Infnet_all_networks host nat_vss_server eq 8890
access-list vpn_nat_Swisscom extended permit ip vpn-clients 255.255.255.0 object-group Swisscom_gin
ip local pool vpn-clients 192.168.44.1-192.168.44.254 mask 255.255.255.0
nat-control
global (outside) 1 interface
global (Infnet) 2 172.20.66.7 netmask 255.255.0.0
global (Swisscom) 3 interface
global (Swisscom) 4 10.25.125.9 netmask 255.255.255.255
nat (outside) 2 access-list outside_nat_outbound outside
nat (inside) 0 access-list nonat-inside
nat (inside) 3 access-list inside_nat_outbound
nat (outside) 4 access-list vpn_nat_Swisscom outside
nat (inside) 1 icon_network 255.255.255.224
nat (Infnet) 0 access-list Infnet_nat0_outbound
static (inside,Swisscom) nat_sun4_server sun4 netmask 255.255.255.255
static (inside,Swisscom) nat_svn_server SVN netmask 255.255.255.255
static (inside,Swisscom) nat_vss_server offside-server netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group Infnet_access_in in interface Infnet
access-group Swisscom_access_in in interface Swisscom
access-group management_access_in in interface management
route Infnet infnet_10.49.28.0 255.255.255.0 192.168.1.1 1
route Infnet infnet_10.49.49.0 255.255.255.0 192.168.1.1 1
route Infnet infnet_10.50.65.0 255.255.255.0 192.168.1.1 1
route Infnet infnet_10.50.242.0 255.255.255.0 192.168.1.1 1
route Infnet infnet_10.50.244.0 255.255.255.0 192.168.1.1 1
route Swisscom 10.237.46.51 255.255.255.255 10.25.125.1 1
route Swisscom 10.237.46.151 255.255.255.255 10.25.125.1 1
route Swisscom 10.237.214.151 255.255.255.255 10.25.125.1 1

tgrundbacher · ‎08-29-2010

Hi Prapanch

Please see the current config attached. I've cut out some sensitive lines with IPs, passwords and VPN profiles.

Here's the requested output:

iconfw# show crypto ipsec sa
interface: outside
Crypto map tag: MAP02, seq num: 10, local addr: 84.253.37.228

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.44.2/255.255.255.255/0/0)
      current_peer: 195.5.180.5, username: casadmin
      dynamic allocated peer ip: 192.168.44.2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 84.253.37.228/4500, remote crypto endpt.: 195.5.180.5/37778
      path mtu 1492, ipsec overhead 82, media mtu 1500
      current outbound spi: FFADAA96
      current inbound spi : 0EF64C2D

    inbound esp sas:
      spi: 0x0EF64C2D (251022381)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 315392, crypto-map: MAP02
         sa timing: remaining key lifetime (sec): 28624
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x0003FFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xFFADAA96 (4289571478)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 315392, crypto-map: MAP02
         sa timing: remaining key lifetime (sec): 28624
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

iconfw# show xlate det | in 192.168.44.
iconfw#

Here's the output when I change the NAT to outside NAT:

no nat (inside) 4 access-list vpn_nat_Swisscom
nat (outside) 4 access-list vpn_nat_Swisscom outside

iconfw(config)# show crypto ipsec sa

interface: outside

Crypto map tag: MAP02, seq num: 10, local addr: 84.253.37.228

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.44.2/255.255.255.255/0/0)

current_peer: 195.5.180.5, username: casadmin

dynamic allocated peer ip: 192.168.44.2

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 84.253.37.228/4500, remote crypto endpt.: 195.5.180.5/50819

path mtu 1492, ipsec overhead 82, media mtu 1500

current outbound spi: CD4C98B9

current inbound spi : 6BE10FC6

inbound esp sas:

spi: 0x6BE10FC6 (1809911750)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 323584, crypto-map: MAP02

sa timing: remaining key lifetime (sec): 28788

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x000FFFFF

outbound esp sas:

spi: 0xCD4C98B9 (3444349113)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 323584, crypto-map: MAP02

sa timing: remaining key lifetime (sec): 28788

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

iconfw(config)# show xlate det | in 192.168.44.

TCP PAT from outside:192.168.44.2/1044 to Swisscom(vpn_nat_Swisscom):10.25.125.9/54502 flags ri

TCP PAT from outside:192.168.44.2/1040 to Swisscom(vpn_nat_Swisscom):10.25.125.9/23599 flags ri

iconfw(config)#

praprama · ‎08-29-2010

Hi Tony,

The IPSec SA seems to show that packets are being decrypted by the ASA and i also see translation being created successfully with the "outside" NAT applied. What do the captures show on the Swisscom interface when trying a ping from the VPN client? Do you see packets leaving and coming back in?

Also, in the configuration, i do not see any rule for the reverse flow, that is, the static with ACL that we had discussed previously. If we do not have a rule like that one, the packet will be dropped as there will be no NAT rule (nat-control enabled).

If you see packtes coming back in on the Swisscom interface as well, can you run a asp-drop capture like below:

access-list asp permit ip host 192.168.44.2 host 10.237.214.151

access-list asp permit ip host 10.237.214.151 host 192.168.44.2

capture asp type asp access-list asp

This should show all packets being dropped by the ASA. Let me know how it goes.

As a side note, just wanted to let you know that packet-tracer will not be the right way to troubleshoot this as it has NAT involved in both the directions of traffic (a dynaminc NAT in one direction). We should go by captures and asp drop to see what exactly is going wrong.

Regards,

Prapanch

tgrundbacher · ‎08-30-2010

Hi Prapanch

Thanks for your reply. I've tried to enter your capture commands, yet it doesn't accept ACLs as an input method. I've customized the asp capture (see attachment), yet it still shows drops for every possible flow.

But there are no drops for our sought-after flow.

So in summary, I see packets getting back to the ASA Swisscom int., they just don't arrive at my session on the PC.

This is what the NAT config looks like currently:

nat (outside) 2 access-list outside_nat_outbound outside
nat (outside) 4 access-list vpn_nat_Swisscom outside
nat (inside) 0 access-list nonat-inside
nat (inside) 3 access-list inside_nat_outbound
nat (inside) 1 icon_network 255.255.255.224
nat (Infnet) 0 access-list Infnet_nat0_outbound
nat (Swisscom) 0 access-list nonat-Swisscom

global (outside) 1 interface
global (Infnet) 2 172.20.66.7 netmask 255.255.0.0
global (Swisscom) 3 interface
global (Swisscom) 4 10.25.125.9 netmask 255.255.255.255

Regards

Toni

Nagaraja Thanthry · ‎08-30-2010

Hello Toni,

From the capture, I see that the remote server is resetting the connection

(no connection is being established). Is the server listening on port 1521?

Also, I don't see any ICMP packets getting returned by the remote server.

Can you check to see if there are any firewalls on the remote server?

Regards,

NT

praprama · ‎08-30-2010

Hey Toni,

As Nagaraja pointed out, we see the server sending RST for every SYN packet from the VPN client. Kindly have a check as to why that is happening. Also, change the firewall settings on the servers so that it allows ICMP packets. I think that's the reaosn why the server is not replying with echo replies for every echo request.

Let me know once you have checked the above.

Regards,

Prapanch

tgrundbacher · ‎08-30-2010

Ok, I will check with my customer, he's going to contact the operator of the server.

Thanks to both of you helping me out so far.

Regards

Toni

tgrundbacher · ‎09-01-2010

The case is solved! The last issue has been resolved by allowing the necessary ports for the src <-> dst through another firewall in the path.

Thank you guys for supporting me!

Regards

Toni

mistr · ‎04-12-2012

Great post guys,

I just had the exact same problem and the information above enabled me to solve the problem. I note that the NAT from the vpn client traffic needs to be setup on the outside int, not the inside int.

Thanks a lot! :-)

Mike