Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

denied due to NAT reverse path failure on ASA 8.3

hi, i am doing remote-access VPN, client connection using AnyConnect

group policies all setup, but just having this error mesage

Asymmetric NAT rules matched for forward and reverse flows; Connection  for icmp src outside:10.10.5.50 dst inside:10.10.10.1 (type 8, code 0)  denied due to NAT reverse path failure  (10.10.5.0 being the VPN Pool)

the only NAT i perform on the box is the LAN xlate to outside interface IP towards internet connection.

my outside interface ip is 202.152..8x.3x, i intend to let remote user connect to the 10.10.x.x LAN network, with use the 10.10.5.0 as the VPN pool to route in the LAN.

This is the NAT i create:-

object network Mxx_Ix_SUPERTNET
nat (any,outside) dynamic interface

any clue on it? what i search on other forum mean that i am missing one static NAT for return path forwarding? can guide on this, i thought create on NAT will apply on bidectional..

thank you

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: denied due to NAT reverse path failure on ASA 8.3

You would need to create NAT exemption as follows:

object network obj-10.10.0.0

     subnet 10.10.0.0 255.255.0.0

object network obj-10.10.5.0

     subnet 10.10.5.0 255.255.255.0

nat (inside,outside) source static obj-10.10.0.0 obj-10.10.0.0 destination static obj-10.10.5.0 obj-10.10.5.0

Hope that helps.

4 REPLIES
Cisco Employee

Re: denied due to NAT reverse path failure on ASA 8.3

You would need to create NAT exemption as follows:

object network obj-10.10.0.0

     subnet 10.10.0.0 255.255.0.0

object network obj-10.10.5.0

     subnet 10.10.5.0 255.255.255.0

nat (inside,outside) source static obj-10.10.0.0 obj-10.10.0.0 destination static obj-10.10.5.0 obj-10.10.5.0

Hope that helps.

New Member

Re: denied due to NAT reverse path failure on ASA 8.3

hi jennifer,

thanks for the reply.

just want to check out with you, i using the wizard to create the instance for the remote access VPN, and found out ASA8.3 NATexemption is doing Twice NAT way nowadays, on CLI check the config is same like what you're posting here.

just wonder why in VPN we need NAT exemption?

thanks

Cisco Employee

Re: denied due to NAT reverse path failure on ASA 8.3

Yes, NAT exemption for VPN has always been there since earlier version of ASA. The reason why you need to configure NAT exemption for VPN is that you do not want to NAT the clear text traffic between the VPN subnets, or between the internal network towards the VPN Client pool, therefore, you need to create NAT exemption. Otherwise, it will fall under the default dynamic NAT policy that you have created, and it gets PATed to the outside interface ip address.

Hope that clears the confusion.

New Member

Re: denied due to NAT reverse path failure on ASA 8.3

thanks jennifer.

there's a big changes at ASA8.3 compare to previous version. time to re-learn

thanks again for the guide

4239
Views
0
Helpful
4
Replies
CreatePlease to create content