Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA reports asymmetric NAT for VPN client outside NAT

I'm starting to become desperate on this one...

I have an ASA running 8.2(3) code where IPSec VPN client profiles are configured. The requirement is that the VPN client source IP's must be translated when they want to reach Server 10.237.214.151 on interface 'Swisscom' (the server is some hops away).

VPN pool range: 192.168.44.0 /24.

Translated IP for VPN pool range: 10.25.125.9 /32.

I've set up outside NAT on the outside interface and the respective global on the Swisscom interface, yet the ASA complains about asymmetric translation:

"Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.44.3/3183 dst Swisscom:10.237.214.151/21 denied due to NAT reverse path failure"

Am I missing something? I suspect that the ASA won't match the translated IP for the return traffic and expects a match for the real IP of the VPN pool, even though outside NAT should be working...

Help is very much appreciated!!

Regards

Toni

Here's a part of the relevant config:

ASA Version 8.2(3)
!
hostname iconfw
names
name 172.20.66.0 icon_network
name 10.49.28.0 infnet_10.49.28.0
name 10.50.242.0 infnet_10.50.242.0
name 10.50.244.0 infnet_10.50.244.0
name 172.20.66.22 offside-server
name 172.20.66.10 sun1
name 172.20.66.20 syslog-server
name 192.168.44.0 vpn-clients
name 10.49.49.0 infnet_10.49.49.0 description Hanspeters PC
name 10.50.65.0 infnet_10.50.65.0 description Hanspeter Poststrasse
name 172.20.66.8 SVN description SVN Server
name 10.57.0.0 infnet_10.57.0.0 description DHCP Bereich von Hampi-Laptop
name 10.58.0.0 infnet_10.58.0.0 description Hanspeter Laptop
name 10.237.0.0 infnet_10.237.0.0 description New NOVIS-DBs
name 192.168.45.0 test_net
name 10.25.125.3 nat_sun4_server
name 10.25.125.4 nat_svn_server
name 10.25.125.5 nat_vss_server
name 172.20.66.6 sun4
!
interface Ethernet0/0
nameif outside
security-level 0
ip address pppoe setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.20.66.1 255.255.255.224
!
interface Ethernet0/2
nameif Infnet
security-level 80
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/3
nameif Swisscom
security-level 50
ip address 10.25.125.2 255.255.255.240
!
object-group network Infnet_all_networks
network-object infnet_10.50.242.0 255.255.255.0
network-object infnet_10.50.244.0 255.255.255.0
network-object infnet_10.49.49.0 255.255.255.0
network-object infnet_10.50.65.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object infnet_10.49.28.0 255.255.255.0
network-object infnet_10.58.0.0 255.255.0.0
network-object infnet_10.57.0.0 255.255.0.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network Swisscom_gin
network-object host 10.237.214.151
network-object host 10.237.46.151
network-object host 10.237.46.51
object-group service DM_INLINE_TCP_1 tcp
port-object eq sqlnet
port-object eq ssh
access-list inside_access_in extended permit udp icon_network 255.255.255.224 any eq domain
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 8080
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq rtsp
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 7070
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq domain
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq smtp
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq pop3
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq www
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 7670
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq nntp
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 8443
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq https
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq ssh
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq ftp
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 993
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 995
access-list inside_access_in extended permit tcp icon_network 255.255.255.224 any eq 465
access-list inside_access_in extended permit icmp icon_network 255.255.255.224 any
access-list inside_access_in extended permit ip icon_network 255.255.255.224 object-group Infnet_all_networks
access-list inside_access_in extended permit ip icon_network 255.255.255.224 object-group Swisscom_gin
access-list inside_access_in extended deny ip any any
access-list Infnet_access_in extended permit tcp object-group Infnet_all_networks host offside-server eq 8890
access-list Infnet_access_in extended permit tcp object-group Infnet_all_networks host offside-server eq www
access-list Infnet_access_in extended permit icmp object-group Infnet_all_networks host offside-server
access-list Infnet_access_in extended permit tcp object-group Infnet_all_networks host SVN eq www
access-list Infnet_access_in extended permit tcp object-group Infnet_all_networks host SVN eq https
access-list Infnet_access_in extended permit tcp object-group Infnet_all_networks host sun1 eq sqlnet
access-list Infnet_access_in extended deny ip any any
access-list outside_access_in remark from home to new swisscom
access-list outside_access_in extended permit tcp vpn-clients 255.255.255.0 infnet_10.237.0.0 255.255.0.0 object-group DM_INLINE_TCP_1
access-list outside_access_in extended deny ip any any
access-list nonat-inside extended permit ip icon_network 255.255.255.224 object-group Infnet_all_networks
access-list nonat-inside extended permit ip icon_network 255.255.255.224 vpn-clients 255.255.255.0
access-list outside_nat_outbound extended permit ip vpn-clients 255.255.255.0 object-group Infnet_all_networks
access-list Infnet_nat0_outbound extended permit ip any any
access-list management_access_in extended deny ip any any
access-list inside_nat_outbound extended permit ip icon_network 255.255.255.224 object-group Swisscom_gin
access-list Swisscom_access_in extended permit tcp object-group Infnet_all_networks host nat_sun4_server eq sqlnet
access-list Swisscom_access_in extended permit tcp object-group Infnet_all_networks host nat_vss_server eq 8890
access-list vpn_nat_Swisscom extended permit ip vpn-clients 255.255.255.0 object-group Swisscom_gin
ip local pool vpn-clients 192.168.44.1-192.168.44.254 mask 255.255.255.0
nat-control
global (outside) 1 interface
global (Infnet) 2 172.20.66.7 netmask 255.255.0.0
global (Swisscom) 3 interface
global (Swisscom) 4 10.25.125.9 netmask 255.255.255.255
nat (outside) 2 access-list outside_nat_outbound outside
nat (inside) 0 access-list nonat-inside
nat (inside) 3 access-list inside_nat_outbound
nat (outside) 4 access-list vpn_nat_Swisscom outside
nat (inside) 1 icon_network 255.255.255.224
nat (Infnet) 0 access-list Infnet_nat0_outbound
static (inside,Swisscom) nat_sun4_server sun4 netmask 255.255.255.255
static (inside,Swisscom) nat_svn_server SVN netmask 255.255.255.255
static (inside,Swisscom) nat_vss_server offside-server netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group Infnet_access_in in interface Infnet
access-group Swisscom_access_in in interface Swisscom
access-group management_access_in in interface management
route Infnet infnet_10.49.28.0 255.255.255.0 192.168.1.1 1
route Infnet infnet_10.49.49.0 255.255.255.0 192.168.1.1 1
route Infnet infnet_10.50.65.0 255.255.255.0 192.168.1.1 1
route Infnet infnet_10.50.242.0 255.255.255.0 192.168.1.1 1
route Infnet infnet_10.50.244.0 255.255.255.0 192.168.1.1 1
route Swisscom 10.237.46.51 255.255.255.255 10.25.125.1 1
route Swisscom 10.237.46.151 255.255.255.255 10.25.125.1 1
route Swisscom 10.237.214.151 255.255.255.255 10.25.125.1 1

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hello,

So, we are making progress now :). Now that traffic is going from VPN

clients to Swisscom interface fine, let us put one more rule for the reverse

path:

access-list vpn_nonat_Swisscom permit ip object-group Swisscom_gin

vpn-clients 255.255.255.0

nat (Swisscom) 0 access-list vpn_nonat_Swisscom

This will define the NAT rule for return traffic.

Hope this fixes the issue.

Regards,

NT

22 REPLIES
Cisco Employee

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hi,

I am not sure why it's giving you that error. hink it's due to nat-control being enabled. Try disabling that. If that does not help, could you run a packet tracer and paste the output?

packet-tracer input outside tcp 192.168.44.3 3183 10.237.214.151 21 detail

Regards,

Prapanch

Cisco Employee

Re: ASA reports asymmetric NAT for VPN client outside NAT

One item that will assist others when troubleshooting issues like this based just on the configuration alone is to issue the command 'no names' - this allows all of the access-lists to show the real IP address so we don't have to reference the 'names' alias at the top of the configuration.  After you gather the configuration, you can re-enable the aliases via the command 'names'.

After parsing through your configuration, I see that you have 'nat-control' enabled.  That implies that all hosts that traverse the ASA (from a high security to lower security level interface) must have an explicit NAT command present.  If not, they are not allowed to pass.  With that being said, looking at all of the 'nat' commands, I don't see one present for interface 'Swisscom'.  Any host on 'Swisscom' does not have a translation present to egress the outside interface.  This is likely the cause of the error - you are translating the outside host to the Swisscom interface address, but the reverse flow doesn't have a translation.  If you want the hosts on 'Swisscom' to appear as their real IP address on the outside, you can do another 'nat (Swisscom) 0 access-list nonat_Swisscom' statement.  If you only want to define NAT on an "exception" basis versus the rule, you can issue the command 'no nat-control'.

The reason why you likely have not had issues with inside hosts is because the inside hosts are going from a high security to a lower security interface - only the high security interface will need the translation.

If this helps, be sure to mark this thread as answered for others benefit.

Have a great weekend,

Kevin

Community Member

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hi Prapanch and Kevin

Both of your input helped me to get closer to the solution, whereas I've learned some lessons from your input, Kevin. I've learned, that it's required to also add a NAT statement for returning traffic, if the returning traffic is coming from a higher-level security interface. So my configured outside NAT is not enough to achieve bidirectional translation, right?

Thanks also for reminding me to turn of 'names' for troubleshooting purposes. Sorry for that, yet I'll continue to use the names in the ACLs, it's easier for me to organize all the config sniplets I've accumulated so far.

Now I've configured the following lines for return traffic (and I noticed I have to do the matching on the real IPs 192.168.44.0 /24 (= 'vpn-clients') and not 10.25.125.9 /32, otherwise the asymmetric translation errors won't go away):

access-list nonat-Swisscom extended permit ip object-group Swisscom_gin vpn-clients 255.255.255.0

nat (Swisscom) 0 access-list nonat-Swisscom

Also, I've made sure the ACL in the return path will allow the traffic towards the VPN clients:


access-list Swisscom_access_in extended permit ip object-group Swisscom_gin host 10.25.125.9
access-list Swisscom_access_in extended permit ip object-group Swisscom_gin vpn-clients 255.255.255.0

Now the asymmetric translation error has gone away, yet there's still no traffic flowing. I've done a packet-trace with the following options:

packet-tracer input Swisscom tcp 10.237.214.151 21 192.168.44.3 3321 detail

And this is where the packet gets stuck...something seems very fishy here:

Phase: 10
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (outside) 4 access-list vpn_nat_Swisscom outside
nat-control
  match ip outside vpn-clients 255.255.255.0 Swisscom host 10.237.214.151
    dynamic translation to pool 4 (10.25.125.9)
    translate_hits = 33, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd7c8f368, priority=2, domain=nat-reverse, deny=false
        hits=1, user_data=0xd7c8f210, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.237.214.151, mask=255.255.255.255, port=0
        dst ip=vpn-clients, mask=255.255.255.0, port=0, dscp=0x0

I've also temporarily disabled 'ip verify reverse-path interface Swisscom', no success.

What could be wrong this time?

Toni

Cisco Employee

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hey,

The issue i think is because you have now configured the NAT exemption using the nat (Swisscom) 0  access-list nonat-Swisscom

This basically says there is not going to be any NAT involved for traffic from the 10.237.214.151 server to the VPN clients and vice versa. But in fact, you want to PAT the VPN client IP addresses. Instead of having a nat exemption, please try adding the below:

static (Swisscom,outside) Swisscom_gin access-list nonat-Swisscom

You can choose to change the name of the access-list to be more relevant. This does almost the same thing as NAT exemption. Let me know if this helps.

Another option you have is to remove the NAT exemption and disable "nat-control".

Regards,

Prapanch

Cisco Employee

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hey just realized that if you use the static command it is going to give you an error.

So, here is the command you will need.

access-list Swisscom-VPN permit ip host 10.237.214.151 vpn-clients  255.255.255.0

static (Swisscom,outside) 10.237.214.151 access-list Swisscom-VPN

try adding this instead of the NAT exemptions and see if it helps.

Regards,

Prapanch

Community Member

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hi Prapanch

Thanks for your input. So I've removed the nat (Swisscom) 0 access-list nonat-Swisscom and added the static with an ACL as you've proposed.

No success either. This is what packet-tracer tells me now:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (outside) 4 access-list vpn_nat_Swisscom outside
nat-control
  match ip outside vpn-clients 255.255.255.0 Swisscom host 10.237.214.151
    dynamic translation to pool 4 (10.25.125.9)
    translate_hits = 40, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd7c8f368, priority=2, domain=nat-reverse, deny=false
        hits=2, user_data=0xd7c8f210, cs_id=0x0, flags=0x0, protocol=0
        src ip=10.237.214.151, mask=255.255.255.255, port=0
        dst ip=vpn-clients, mask=255.255.255.0, port=0, dscp=0x0

When I change the ACL of the static to:

access-list Swisscom-VPN extended permit ip host 10.237.214.151 host 10.25.125.9

it doesn't help either, and the packet-tracer stops here:

Phase: 8
Type: NAT
Subtype:
Result: DROP
Config:
nat (Swisscom) 0 0.0.0.0 0.0.0.0
nat-control
  match ip Swisscom any outside any
    no translation group, implicit deny
    policy_hits = 1
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xd7c6b2e0, priority=0, domain=nat, deny=false
        hits=2, user_data=0xd7c6b220, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

As I don't want to bore you guys any further: Do you know whether this scenario is supported by an ASA at all? For me, there's only two possibilities: Either I'm running into a bug, or the ASA won't allow you to source NAT a VPN pool to a different address, or, expressed differently: there's no possibility to do it bidirectionally.

What do you guys think? Am I going to be successful if I open a TAC case? I'm out of ideas now.

Thank you so far, anyway.

Toni

Cisco Employee

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hey,

I am not sure why you are getting the NAT drop in nat (Swisscom) 0 0.0.0.0  0.0.0.0.

Do you have such a command entered in the first place? Have you tried disabling nat-control to see if that helps?

But yeah go ahead and open up a TAC case. I am sure you will get it resolved much faster that way. I am sure this requirement is still supported. We are just not able to get hold of the problem with the information we have currently.

Regards,

Prapanch

Community Member

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hi again

I haven't used a NAT exemption on the Swisscom interface, that's why I'm so confused about it. There's no 'nat (Swisscom) 0 0 0' statement in the config.

No, I haven't removed 'nat-control' as this is a productive customer device and I don't want to risk any troubles without being in a maintenance window.

Thanks for your support so far; in case you came across a solution, please let me know.

Regards

Toni

Cisco Employee

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hello,

The reason you are getting RPF check on that line is because, even though

you are terminating VPN traffic on the outside interface, VPN clients are

treated as internal hosts (belonging to inside network). Can you remove "nat

(outside) 4 access-list vpn_nat_Swisscom outside" and enter "nat (inside) 4

access-list vpn_nat_Swisscom"?

Hope this helps.

Regards,

NT

Community Member

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hi Nagaraja

As requested, I've changed the outside NAT to a inside NAT for the VPN pool:

access-list vpn_nat_Swisscom extended permit ip vpn-clients 255.255.255.0 object-group Swisscom_gin

nat (inside) 4 access-list vpn_nat_Swisscom

No remedy so far, see the packet-tracer output:


Phase: 7
Type: NAT
Subtype:
Result: DROP
Config:
nat (Swisscom) 0 0.0.0.0 0.0.0.0
nat-control
  match ip Swisscom any outside any
    no translation group, implicit deny
    policy_hits = 2
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xd7c6b2e0, priority=0, domain=nat, deny=false
        hits=3, user_data=0xd7c6b220, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: Swisscom
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

The interesting thing is, there is not 'nat (Swisscom) 0' rule configured!

Cisco Employee

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hello,

So, we are making progress now :). Now that traffic is going from VPN

clients to Swisscom interface fine, let us put one more rule for the reverse

path:

access-list vpn_nonat_Swisscom permit ip object-group Swisscom_gin

vpn-clients 255.255.255.0

nat (Swisscom) 0 access-list vpn_nonat_Swisscom

This will define the NAT rule for return traffic.

Hope this fixes the issue.

Regards,

NT

Community Member

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hi Nagaraja

Now this is interesting, this has changed now:

1.) Packet-tracer reports that the return traffic is allowed! -> see attached file.

2.) There's no xlate entry while trying to send packets to the destination server 10.237.214.151. (Compared to when I source NAT the VPN pool from the outside interface instead of the inside.)

3.) Still, I can't get any traffic through, capture reports zero bytes back and forth:

iconfw(config)# sh capture
capture test type raw-data access-list test interface Swisscom [Capturing - 0 bytes]

4.) ASDM reports that the VPN client has issued a Ping - from outside! This is the only log message appearing:

"IDS:2004 ICMP echo request from 192.168.44.2 to 10.237.214.151 on interface outside"

Please see the current config excerpt attached.

Cisco Employee

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hello,

Can you run the following packet tracer:

packet-tracer input outside tcp 192.168.44.2 3321 10.237.214.151 21 det

Regards,

NT

Cisco Employee

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hey Toni,

Hmmm. Could you just paste  the configuration you have currently along with the output of "show crypto ipsec sa" and

"show xlate det | in " when trying to pass traffic from the VPN client to the DMZ server alone? I ll look through it again and see if i can find something from it or try few things out on my side if possible.

Regards,

Prapanch

Community Member

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hi Prapanch

Please see the current config attached. I've cut out some sensitive lines with IPs, passwords and VPN profiles.

Here's the requested output:

iconfw# show crypto ipsec sa
interface: outside
    Crypto map tag: MAP02, seq num: 10, local addr: 84.253.37.228

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.44.2/255.255.255.255/0/0)
      current_peer: 195.5.180.5, username: casadmin
      dynamic allocated peer ip: 192.168.44.2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 84.253.37.228/4500, remote crypto endpt.: 195.5.180.5/37778
      path mtu 1492, ipsec overhead 82, media mtu 1500
      current outbound spi: FFADAA96
      current inbound spi : 0EF64C2D

    inbound esp sas:
      spi: 0x0EF64C2D (251022381)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 315392, crypto-map: MAP02
         sa timing: remaining key lifetime (sec): 28624
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x0003FFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xFFADAA96 (4289571478)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 315392, crypto-map: MAP02
         sa timing: remaining key lifetime (sec): 28624
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


iconfw# show xlate det | in 192.168.44.
iconfw#

Here's the output when I change the NAT to outside NAT:

no nat (inside) 4 access-list vpn_nat_Swisscom
nat (outside) 4 access-list vpn_nat_Swisscom outside

iconfw(config)# show crypto ipsec sa

interface: outside

    Crypto map tag: MAP02, seq num: 10, local addr: 84.253.37.228

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.44.2/255.255.255.255/0/0)

      current_peer: 195.5.180.5, username: casadmin

      dynamic allocated peer ip: 192.168.44.2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 84.253.37.228/4500, remote crypto endpt.: 195.5.180.5/50819

      path mtu 1492, ipsec overhead 82, media mtu 1500

      current outbound spi: CD4C98B9

      current inbound spi : 6BE10FC6

    inbound esp sas:

      spi: 0x6BE10FC6 (1809911750)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 323584, crypto-map: MAP02

         sa timing: remaining key lifetime (sec): 28788

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x000FFFFF

    outbound esp sas:

      spi: 0xCD4C98B9 (3444349113)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 323584, crypto-map: MAP02

         sa timing: remaining key lifetime (sec): 28788

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

iconfw(config)# show xlate det | in 192.168.44.

TCP PAT from outside:192.168.44.2/1044 to Swisscom(vpn_nat_Swisscom):10.25.125.9/54502 flags ri

TCP PAT from outside:192.168.44.2/1040 to Swisscom(vpn_nat_Swisscom):10.25.125.9/23599 flags ri

iconfw(config)#

Cisco Employee

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hi Tony,

The IPSec SA seems to show that packets are being decrypted by the ASA and i also see translation being created successfully with the "outside" NAT applied. What do the captures show on the Swisscom interface when trying a ping from the VPN client? Do you see packets leaving and coming back in?

Also, in the configuration, i do not see any rule for the reverse flow, that is, the static with ACL that we had discussed previously. If we do not have a rule like that one, the packet will be dropped as there will be no NAT rule (nat-control enabled).

If you see packtes coming back in on the Swisscom interface as well, can you run a asp-drop  capture like below:


access-list asp permit ip host 192.168.44.2 host 10.237.214.151

access-list asp permit ip host 10.237.214.151 host 192.168.44.2


capture asp type asp access-list asp

This should show all packets being dropped by the ASA. Let me know how it goes.

As a side note, just wanted to let you know that packet-tracer will not be the right way to troubleshoot this as it has NAT involved in both the directions of traffic (a dynaminc NAT in one direction). We should go by captures and asp drop to see what exactly is going wrong.

Regards,

Prapanch

Community Member

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hi Prapanch

Thanks for your reply. I've tried to enter your capture commands, yet it doesn't accept ACLs as an input method. I've customized the asp capture (see attachment), yet it still shows drops for every possible flow.

But there are no drops for our sought-after flow.

So in summary, I see packets getting back to the ASA Swisscom int., they just don't arrive at my session on the PC.

This is what the NAT config looks like currently:


nat (outside) 2 access-list outside_nat_outbound outside
nat (outside) 4 access-list vpn_nat_Swisscom outside
nat (inside) 0 access-list nonat-inside
nat (inside) 3 access-list inside_nat_outbound
nat (inside) 1 icon_network 255.255.255.224
nat (Infnet) 0 access-list Infnet_nat0_outbound
nat (Swisscom) 0 access-list nonat-Swisscom

global (outside) 1 interface
global (Infnet) 2 172.20.66.7 netmask 255.255.0.0
global (Swisscom) 3 interface
global (Swisscom) 4 10.25.125.9 netmask 255.255.255.255

Regards

Toni

Cisco Employee

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hello Toni,

From the capture, I see that the remote server is resetting the connection

(no connection is being established). Is the server listening on port 1521?

Also, I don't see any ICMP packets getting returned by the remote server.

Can you check to see if there are any firewalls on the remote server?

Regards,

NT

Cisco Employee

Re: ASA reports asymmetric NAT for VPN client outside NAT

Hey Toni,

As Nagaraja pointed out, we see the server sending RST for every SYN packet from the VPN client. Kindly have a check as to why that is happening. Also, change the firewall settings on the servers so that it allows ICMP packets. I think that's the reaosn why the server is not replying with echo replies for every echo request.

Let me know once you have checked the above.

Regards,

Prapanch

Community Member

Re: ASA reports asymmetric NAT for VPN client outside NAT

Ok, I will check with my customer, he's going to contact the operator of the server.

Thanks to both of you helping me out so far.

Regards

Toni

Community Member

Re: ASA reports asymmetric NAT for VPN client outside NAT

The case is solved! The last issue has been resolved by allowing the necessary ports for the src <-> dst through another firewall in the path.

Thank you guys for supporting me!

Regards

Toni

Community Member

Re: ASA reports asymmetric NAT for VPN client outside NAT

Great post guys,

     I just had the exact same problem and the information above enabled me to solve the problem. I note that the NAT from the vpn client traffic needs to be setup on the outside int, not the inside int.

Thanks a lot! :-)

Mike

3829
Views
15
Helpful
22
Replies
CreatePlease to create content