Re: Problems with "Asymmetric NAT rules matched for forward

tbrooks · ‎11-13-2011

Using 8.2.5

I have a AnyConnect VPN that is not functioning. I'm able to connect but not able to access anything on the LAN

I'm getting the following errrors in ASDM.

5

Nov 13 2011

20:41:05

192.168.0.5

3389

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.0.42/1513 dst inside:192.168.0.5/3389 denied due to NAT reverse path failure

My sanitized configuration is included

Totally confused with the Nat Transversal issue. I would appreciate some assistance.

SHO ACCESS-L is below

sh access-l

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list inside_nat0_outbound; 1 elements; name hash: 0x467c8ce4

access-list inside_nat0_outbound line 1 extended permit ip 192.168.0.0 255.255.255.0 VPNNet 255.255.255.0 (hitcnt=0) 0x330c9a6d

access-list outside_access; 8 elements; name hash: 0xee117655

access-list outside_access line 1 extended permit tcp any host OutsideDMZWeb eq www (hitcnt=1172) 0xd20993c1

access-list outside_access line 2 extended permit tcp any host OutsideMailServer eq smtp (hitcnt=219) 0x4f13736b

access-list outside_access line 3 extended permit tcp any host OutsideMailServer eq www (hitcnt=1) 0x93c66598

access-list outside_access line 4 extended permit tcp any host OutsideMailServer eq https (hitcnt=253) 0x04017f02

access-list outside_access line 5 extended permit tcp any host OutsideSQL object-group ts 0xe3b6a426

access-list outside_access line 5 extended permit tcp any host OutsideSQL eq 3389 (hitcnt=4) 0x8dc511ee

access-list outside_access line 6 extended permit tcp any host OutsideMailServer object-group ts 0x4b6801cf

access-list outside_access line 6 extended permit tcp any host OutsideMailServer eq 3389 (hitcnt=5) 0x67b35434

access-list outside_access line 7 extended permit tcp any host OutsideDMZWeb object-group ts 0xf2df7313

access-list outside_access line 7 extended permit tcp any host OutsideDMZWeb eq 3389 (hitcnt=244) 0x87a8e911

access-list outside_access line 8 extended permit tcp any host OutsideDMZWeb eq https (hitcnt=0) 0x51043a7b

access-list inside_nat_outbound; 2 elements; name hash: 0xb64b365a

access-list inside_nat_outbound line 1 extended permit ip any VPNNet 255.255.255.0 (hitcnt=0) 0x503e0af3

access-list inside_nat_outbound line 2 extended permit ip 192.168.0.0 255.255.255.0 VPNNet 255.255.255.0 (hitcnt=0) 0x72590365

access-list argen01_splitTunnelAcl; 1 elements; name hash: 0x2895c8be

access-list argen01_splitTunnelAcl line 1 standard permit 192.168.0.0 255.255.255.0 (hitcnt=0) 0xd35fe9fd

sh nat

NAT policies on Interface inside:
match ip inside 192.168.0.0 255.255.255.0 outside VPNNet 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.0.0 255.255.255.0 inside VPNNet 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.0.0 255.255.255.0 dmz VPNNet 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.0.0 255.255.255.0 management VPNNet 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
match ip inside host InsideMailServer outside any
    static translation to OutsideMailServer
    translate_hits = 38454, untranslate_hits = 47764
match ip inside host InsideSQL outside any
    static translation to OutsideSQL
    translate_hits = 93, untranslate_hits = 2982
match ip inside any outside any
    dynamic translation to pool 101 (12.12.12.12 [Interface PAT])
    translate_hits = 352039, untranslate_hits = 12431
match ip inside any inside any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
match ip inside any dmz any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
match ip inside any management any
    dynamic translation to pool 101 (No matching global)
    translate_hits = 0, untranslate_hits = 0
match ip inside any outside any
    no translation group, implicit deny
    policy_hits = 0
match ip inside any dmz any
    no translation group, implicit deny
    policy_hits = 0

NAT policies on Interface dmz:
match ip dmz host InsideDMZWeb outside any
    static translation to OutsideDMZWeb
    translate_hits = 1267, untranslate_hits = 5840
match ip dmz any outside any
    dynamic translation to pool 1 (12.12.12.15)
    translate_hits = 139, untranslate_hits = 30
match ip dmz any dmz any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
match ip dmz any outside any
    no translation group, implicit deny
    policy_hits = 0

NAT policies on Interface management:
match ip management any outside any
    no translation group, implicit deny
    policy_hits = 0
match ip management any dmz any
    no translation group, implicit deny
    policy_hits = 0

Maykol Rojas · ‎11-14-2011

Hey,

Just a quick question, 192.168.0.42 and 192.168.0.45 seems to be on the same network (inside), why 192.168.0.42 IP address is coming from the outside?

Normally these error messages are referred as problem with NAT (it enters with the real IP and then going out the packet gets natted).

Let me know.

Mike

tbrooks · ‎11-14-2011

Looks like the VPN is picking up an ip address from dhcp. Instead of the "ippool"

Sent from my iPad

Maykol Rojas · ‎11-14-2011

You can check that on the tunnel group, if you have a DHCP server or the pool assign to it. Also, you need to check what method is being used.

sh run all | inc vpn-addr-assign

Mike

Problems with "Asymmetric NAT rules matched for forward and reverse flows- denied due to NAT reverse path failure"