11-08-2010 01:36 AM - edited 03-11-2019 12:06 PM
hi, i am doing remote-access VPN, client connection using AnyConnect
group policies all setup, but just having this error mesage
Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.10.5.50 dst inside:10.10.10.1 (type 8, code 0) denied due to NAT reverse path failure (10.10.5.0 being the VPN Pool)
the only NAT i perform on the box is the LAN xlate to outside interface IP towards internet connection.
my outside interface ip is 202.152..8x.3x, i intend to let remote user connect to the 10.10.x.x LAN network, with use the 10.10.5.0 as the VPN pool to route in the LAN.
This is the NAT i create:-
object network Mxx_Ix_SUPERTNET
nat (any,outside) dynamic interface
any clue on it? what i search on other forum mean that i am missing one static NAT for return path forwarding? can guide on this, i thought create on NAT will apply on bidectional..
thank you
Solved! Go to Solution.
11-08-2010 01:42 AM
You would need to create NAT exemption as follows:
object network obj-10.10.0.0
subnet 10.10.0.0 255.255.0.0
object network obj-10.10.5.0
subnet 10.10.5.0 255.255.255.0
nat (inside,outside) source static obj-10.10.0.0 obj-10.10.0.0 destination static obj-10.10.5.0 obj-10.10.5.0
Hope that helps.
11-08-2010 01:42 AM
You would need to create NAT exemption as follows:
object network obj-10.10.0.0
subnet 10.10.0.0 255.255.0.0
object network obj-10.10.5.0
subnet 10.10.5.0 255.255.255.0
nat (inside,outside) source static obj-10.10.0.0 obj-10.10.0.0 destination static obj-10.10.5.0 obj-10.10.5.0
Hope that helps.
11-08-2010 06:50 PM
hi jennifer,
thanks for the reply.
just want to check out with you, i using the wizard to create the instance for the remote access VPN, and found out ASA8.3 NATexemption is doing Twice NAT way nowadays, on CLI check the config is same like what you're posting here.
just wonder why in VPN we need NAT exemption?
thanks
11-08-2010 06:55 PM
Yes, NAT exemption for VPN has always been there since earlier version of ASA. The reason why you need to configure NAT exemption for VPN is that you do not want to NAT the clear text traffic between the VPN subnets, or between the internal network towards the VPN Client pool, therefore, you need to create NAT exemption. Otherwise, it will fall under the default dynamic NAT policy that you have created, and it gets PATed to the outside interface ip address.
Hope that clears the confusion.
11-08-2010 08:12 PM
thanks jennifer.
there's a big changes at ASA8.3 compare to previous version. time to re-learn
thanks again for the guide
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: