Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4938
Views
0
Helpful
4
Replies

denied due to NAT reverse path failure on ASA 8.3

Go to solution
yong khang NG
Level 5
Level 5

‎11-08-2010 01:36 AM - edited ‎03-11-2019 12:06 PM

hi, i am doing remote-access VPN, client connection using AnyConnect

group policies all setup, but just having this error mesage

Asymmetric NAT rules matched for forward and reverse flows; Connection  for icmp src outside:10.10.5.50 dst inside:10.10.10.1 (type 8, code 0)  denied due to NAT reverse path failure  (10.10.5.0 being the VPN Pool)

the only NAT i perform on the box is the LAN xlate to outside interface IP towards internet connection.

my outside interface ip is 202.152..8x.3x, i intend to let remote user connect to the 10.10.x.x LAN network, with use the 10.10.5.0 as the VPN pool to route in the LAN.

This is the NAT i create:-

object network Mxx_Ix_SUPERTNET
nat (any,outside) dynamic interface

any clue on it? what i search on other forum mean that i am missing one static NAT for return path forwarding? can guide on this, i thought create on NAT will apply on bidectional..

thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎11-08-2010 01:42 AM

You would need to create NAT exemption as follows:

object network obj-10.10.0.0

     subnet 10.10.0.0 255.255.0.0

object network obj-10.10.5.0

     subnet 10.10.5.0 255.255.255.0

nat (inside,outside) source static obj-10.10.0.0 obj-10.10.0.0 destination static obj-10.10.5.0 obj-10.10.5.0

Hope that helps.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎11-08-2010 01:42 AM

You would need to create NAT exemption as follows:

object network obj-10.10.0.0

     subnet 10.10.0.0 255.255.0.0

object network obj-10.10.5.0

     subnet 10.10.5.0 255.255.255.0

nat (inside,outside) source static obj-10.10.0.0 obj-10.10.0.0 destination static obj-10.10.5.0 obj-10.10.5.0

Hope that helps.

0 Helpful

Go to solution
yong khang NG
Level 5
Level 5
In response to Jennifer Halim

‎11-08-2010 06:50 PM

hi jennifer,

thanks for the reply.

just want to check out with you, i using the wizard to create the instance for the remote access VPN, and found out ASA8.3 NATexemption is doing Twice NAT way nowadays, on CLI check the config is same like what you're posting here.

just wonder why in VPN we need NAT exemption?

thanks

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to yong khang NG

‎11-08-2010 06:55 PM

Yes, NAT exemption for VPN has always been there since earlier version of ASA. The reason why you need to configure NAT exemption for VPN is that you do not want to NAT the clear text traffic between the VPN subnets, or between the internal network towards the VPN Client pool, therefore, you need to create NAT exemption. Otherwise, it will fall under the default dynamic NAT policy that you have created, and it gets PATed to the outside interface ip address.

Hope that clears the confusion.

0 Helpful

Go to solution
yong khang NG
Level 5
Level 5
In response to Jennifer Halim

‎11-08-2010 08:12 PM

thanks jennifer.

there's a big changes at ASA8.3 compare to previous version. time to re-learn

thanks again for the guide

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card