Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA to ASA VPN Tunnel - denied due to NAT reverse path failure

We have an existing ASA 5510 running 8.2, and have added an ASA 5505 running 8.4 at our secondary location. I have created a site-to-site tunnel that shows UP and working, but when a connection is attempted, the following error shows in our logs:

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.2.x.x dst inside:192.168.x.x (type 8, code 0) denied due to NAT reverse path failure

Both sites can ping and browse outside the network, but not to each other. Also, when I look at the VPN statistics section of the Monitoring page, it shows that the remote site has transmitted 0 bytes but rec'd 5654. Vice versa on the local site's page.

If it's a factor - the only way I could get the tunnel to work was by creating a new crypto IPSec key called Krypton. it's at the end of my crypto statements.

My config for the remote location is below.

hostname Krypton

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.50.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240

!

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network KryptonPrime

subnet 10.0.0.0 255.0.0.0

description Krypton Internal Network

access-list outside_cryptomap extended permit ip 192.168.50.0 255.255.255.0 object KryptonPrime

access-list outside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (inside,outside) dynamic interface

!

nat (inside,outside) after-auto source dynamic any interface

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http server idle-timeout 60

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set Krypton esp-aes-192 esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer x.x.x.x 

crypto map outside_map 1 set ikev1 transform-set Krypton

crypto map outside_map interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev1 enable inside

crypto ikev1 enable outside

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 5

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

dhcpd dns 4.2.2.2 8.8.8.8

!

dhcpd dns 4.2.2.2 8.8.8.8 interface inside

dhcpd domain krypton-solutions.com interface inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

group-policy GroupPolicy_x.x.x.x  internal

group-policy GroupPolicy_x.x.x.x  attributes

vpn-tunnel-protocol ikev1

username  password  encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group x.x.x.x  type ipsec-l2l

tunnel-group x.x.x.x general-attributes

default-group-policy GroupPolicy_66.128.51.138

tunnel-group x.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:2deed59b90dc60eaa610d0a0f02513b3

: end

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ASA to ASA VPN Tunnel - denied due to NAT reverse path failure

Hi,

You dont have NAT0 configuration in the above configurations.

Even though its not an issue in this case I doubt you have a 10.0.0.0/8 network configured on the other site?

But to configure the NAT0 add these configurations

object network LAN

subnet 192.168.50.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static KryptonPrime KryptonPrime

Let me know how it goes

Hope this helps

- Jouni

5 REPLIES
Super Bronze

ASA to ASA VPN Tunnel - denied due to NAT reverse path failure

Hi,

You dont have NAT0 configuration in the above configurations.

Even though its not an issue in this case I doubt you have a 10.0.0.0/8 network configured on the other site?

But to configure the NAT0 add these configurations

object network LAN

subnet 192.168.50.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static KryptonPrime KryptonPrime

Let me know how it goes

Hope this helps

- Jouni

Super Bronze

ASA to ASA VPN Tunnel - denied due to NAT reverse path failure

Also,

I would suggest that you remove your external interfaces ACL since it allows any traffic. You dont need the ACL for VPN. The VPN traffic will flow through regardles.

Even though you dont have any Static NAT configured that would enable connectivity from external network, this ACL still might potentially allow some traffic inbound when translations are active on the firewall.

- Jouni

Community Member

ASA to ASA VPN Tunnel - denied due to NAT reverse path failure

Thanks Jouni,

I've created the network object and NAT, which allows me now to ping back and forth (happydance!)

Now  I am able to view shared folders and servers from the remote site  192.168.50.x to KryptonPrime, but cannot view from KryptonPrime to the  remote site.

Also, the monitor on the remote site shows SSH sessions with random user names (test, ts, ts3, etc) being disconnected constantly. ?

SSH session from 37.59.34.39 on interface outside for user "testuser" disconnected by SSH server, reason: "Internal error" (0x00)

Any thoughts? Aaaaallllllmost there....

Also, you asked about the KryptonPrime subnet - it actually is 10.0.0.0/8 because we use 10.0 and 10.2. and 10.5 networks.

Thanks immensely for your help,

Victor.

Current config:

Result of the command: "show running-config"

: Saved

:

ASA Version 8.4(5)

!

hostname Krypton-Global-IP-DC

domain-name kryptonsolutions.local

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.50.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name kryptonsolutions.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network KryptonPrime

subnet 10.0.0.0 255.0.0.0

description Krypton Internal Network

object network LAN

subnet 192.168.50.0 255.255.255.0

object network lan

access-list outside_cryptomap extended permit ip 192.168.50.0 255.255.255.0 object KryptonPrime

access-list outside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static LAN LAN destination static KryptonPrime KryptonPrime

!

object network obj_any

nat (inside,outside) dynamic interface

!

nat (inside,outside) after-auto source dynamic any interface

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http server idle-timeout 60

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set Krypton esp-aes-192 esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set ikev1 transform-set Krypton

crypto map outside_map interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev1 enable inside

crypto ikev1 enable outside

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 5

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

dhcpd dns 4.2.2.2 8.8.8.8

!

dhcpd dns 4.2.2.2 8.8.8.8 interface inside

dhcpd domain krypton-solutions.com interface inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

group-policy GroupPolicy_x.x.x.x internal

group-policy GroupPolicy_x.x.x.x attributes

vpn-tunnel-protocol ikev1

username encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x general-attributes

default-group-policy GroupPolicy_66.128.51.138

tunnel-group x.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:403b5e87e2205f35f8f0ddd3e098b6d2

: end

Super Bronze

ASA to ASA VPN Tunnel - denied due to NAT reverse path failure

Hi,

There should be nothing on this remote side stopping traffic towards the other site. The problem might be in its configurations.

I imagine that there are attemtps to log onto your device as you have permitted SSH logins from ANY source address behind the "outside" interface. This will permit anyone to get the login prompt on your firewall.

ssh 0.0.0.0 0.0.0.0 outside

So you either have to narrow that down to specific public IP addresses or remove it completely or handle the ASA management remotely in some other way. You could always only allow management connections through VPN then you would not have to keep the management connections allowed to the public network. Then again it cause problems to have too strict restrictions on where you can attempt management connection.

But the above logs messages are probably attempts to login to your device.

- Jouni

Community Member

ASA to ASA VPN Tunnel - denied due to NAT reverse path failure

Thanks! I'm amazed at the number of attempts to hack in - I guess the script kiddies of the world really love their 'work'!

I'm going to spin up the full server at the Remote site, and we'll know by tomorrow how happy the world truly is.

Thanks again,

Victor.

1706
Views
0
Helpful
5
Replies
CreatePlease to create content