Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
617
Views
0
Helpful
2
Replies

remote access vpn stopped working after upgrading to asa8.3.1

tachyon05
Level 1
Level 1

‎10-14-2010 11:14 AM - edited ‎03-11-2019 11:54 AM

i upgraded from 7.2x to 8.2, and then upgraded to 8.3.1  however, now remote access vpn stopped working.  i read https://supportforums.cisco.com/docs/DOC-12569 already however i am either not understanding that correctly or am not sure how that helps my sitution.

in version 7.2x, i had
access-list CG_nat0_outbound extended permit ip x.x.x.x 255.255.255.x 10.10.x.0 255.255.255.128
access-list SA_nat0_outbound extended permit ip x.x.x.x 255.255.255.x 10.10.x.0 255.255.255.128
access-list CS_nat0_outbound extended permit ip x.x.x.x 255.255.255.x 10.10.x.0 255.255.255.0
nat (CG) 0 access-list CG_nat0_outbound
nat (SA) 0 access-list SA_nat0_outbound
nat (CS) 0 access-list CS_nat0_outbound
......


after upgrading to 8.3.1, the config changed to
nat (CG,Outside) source static obj-x.x.x.x(CG) obj-x.x.x.x(CG) destination static obj-10.10.x.0 obj-10.10.x.0
nat (CG,CS) source static obj-x.x.x.x(CG) obj-x.x.x.x(CG) destination static obj-10.10.x.0 obj-10.10.x.0
nat (CG,SA) source static obj-x.x.x.x(CG) obj-x.x.x.x(CG) destination static obj-10.10.x.0 obj-10.10.x.0
nat (SA,Outside) source static obj-x.x.x.x(SA) obj-x.x.x.x(SA) destination static obj-10.10.x.0 obj-10.10.x.0
nat (SA,CS) source static obj-x.x.x.x(SA) obj-x.x.x.x(SA) destination static obj-10.10.x.0 obj-10.10.x.0
nat (SA,CG) source static obj-x.x.x.x(SA) obj-x.x.x.x(SA) destination static obj-10.10.x.0 obj-10.10.x.0
nat (CS,Outside) source static obj-x.x.x.x(CS) obj-x.x.x.x(CS) destination static obj-10.10.x.0 obj-10.10.x.0
nat (CS,CG) source static obj-x.x.x.x(CS) obj-x.x.x.x(CS) destination static obj-10.10.x.0 obj-10.10.x.0
nat (CS,SA) source static obj-x.x.x.x(CS) obj-x.x.x.x(CS) destination static obj-10.10.x.0 obj-10.10.x.0

......

i am able to ping inside hosts from outside without the VPN, as soon as vpn tunnel is established, i cannot ping the inside hosts anymore.  system would then generate event log %ASA-5-305013:Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src Outside:10.10.x.2 dst CG:x.x.x.x (type 8, code 0) denied due to NAT reverse path failure

Labels:
0 Helpful
2 Replies 2

Kureli Sankar
Cisco Employee
Cisco Employee

‎10-14-2010 12:26 PM

You can try to remove these lines

no nat (CG,Outside) source static obj-x.x.x.x(CG) obj-x.x.x.x(CG) destination static obj-10.10.x.0 obj-10.10.x.0
no nat (SA,Outside) source static obj-x.x.x.x(SA) obj-x.x.x.x(SA) destination static obj-10.10.x.0 obj-10.10.x.0
no nat (CS,Outside) source static obj-x.x.x.x(CS) obj-x.x.x.x(CS) destination static obj-10.10.x.0 obj-10.10.x.0

and try to add them with line numbers

nat (CG,Outside) 1 source static obj-x.x.x.x(CG) obj-x.x.x.x(CG) destination static obj-10.10.x.0 obj-10.10.x.0
  nat (SA,Outside) 2 source static obj-x.x.x.x(SA) obj-x.x.x.x(SA) destination static obj-10.10.x.0 obj-10.10.x.0
  nat (CS,Outside) 3 source static obj-x.x.x.x(CS) obj-x.x.x.x(CS) destination static obj-10.10.x.0 obj-10.10.x.0

Let me know. If this doesn't work then we can gather packet-tracer output.

-KS

0 Helpful

tachyon05
Level 1
Level 1
In response to Kureli Sankar

‎10-15-2010 01:38 PM

well, it worked after i disabled those NAT configuration lines.  but i am not sure why.

anyways, i have 10+ sub interfaces, so there are hundreds of NAT lines added by the new 8.3.1.  (i think i only had 20 some NAT lines).  it will take me awhile to disable all of them.

thanks everyone.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card