Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

remote access vpn stopped working after upgrading to asa8.3.1

i upgraded from 7.2x to 8.2, and then upgraded to 8.3.1  however, now remote access vpn stopped working.  i read https://supportforums.cisco.com/docs/DOC-12569 already however i am either not understanding that correctly or am not sure how that helps my sitution.

in version 7.2x, i had
access-list CG_nat0_outbound extended permit ip x.x.x.x 255.255.255.x 10.10.x.0 255.255.255.128
access-list SA_nat0_outbound extended permit ip x.x.x.x 255.255.255.x 10.10.x.0 255.255.255.128
access-list CS_nat0_outbound extended permit ip x.x.x.x 255.255.255.x 10.10.x.0 255.255.255.0
nat (CG) 0 access-list CG_nat0_outbound
nat (SA) 0 access-list SA_nat0_outbound
nat (CS) 0 access-list CS_nat0_outbound
......


after upgrading to 8.3.1, the config changed to
nat (CG,Outside) source static obj-x.x.x.x(CG) obj-x.x.x.x(CG) destination static obj-10.10.x.0 obj-10.10.x.0
nat (CG,CS) source static obj-x.x.x.x(CG) obj-x.x.x.x(CG) destination static obj-10.10.x.0 obj-10.10.x.0
nat (CG,SA) source static obj-x.x.x.x(CG) obj-x.x.x.x(CG) destination static obj-10.10.x.0 obj-10.10.x.0
nat (SA,Outside) source static obj-x.x.x.x(SA) obj-x.x.x.x(SA) destination static obj-10.10.x.0 obj-10.10.x.0
nat (SA,CS) source static obj-x.x.x.x(SA) obj-x.x.x.x(SA) destination static obj-10.10.x.0 obj-10.10.x.0
nat (SA,CG) source static obj-x.x.x.x(SA) obj-x.x.x.x(SA) destination static obj-10.10.x.0 obj-10.10.x.0
nat (CS,Outside) source static obj-x.x.x.x(CS) obj-x.x.x.x(CS) destination static obj-10.10.x.0 obj-10.10.x.0
nat (CS,CG) source static obj-x.x.x.x(CS) obj-x.x.x.x(CS) destination static obj-10.10.x.0 obj-10.10.x.0
nat (CS,SA) source static obj-x.x.x.x(CS) obj-x.x.x.x(CS) destination static obj-10.10.x.0 obj-10.10.x.0

......

i am able to ping inside hosts from outside without the VPN, as soon as vpn tunnel is established, i cannot ping the inside hosts anymore.  system would then generate event log %ASA-5-305013:Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src Outside:10.10.x.2 dst CG:x.x.x.x (type 8, code 0) denied due to NAT reverse path failure

2 REPLIES
Cisco Employee

Re: remote access vpn stopped working after upgrading to asa8.3.

You can try to remove these lines

no nat (CG,Outside) source static obj-x.x.x.x(CG) obj-x.x.x.x(CG) destination static obj-10.10.x.0 obj-10.10.x.0
no nat (SA,Outside) source static obj-x.x.x.x(SA) obj-x.x.x.x(SA) destination static obj-10.10.x.0 obj-10.10.x.0
no nat (CS,Outside) source static obj-x.x.x.x(CS) obj-x.x.x.x(CS) destination static obj-10.10.x.0 obj-10.10.x.0

and try to add them with line numbers

nat (CG,Outside) 1 source static obj-x.x.x.x(CG) obj-x.x.x.x(CG) destination static obj-10.10.x.0 obj-10.10.x.0
  nat (SA,Outside) 2 source static obj-x.x.x.x(SA) obj-x.x.x.x(SA) destination static obj-10.10.x.0 obj-10.10.x.0
  nat (CS,Outside) 3 source static obj-x.x.x.x(CS) obj-x.x.x.x(CS) destination static obj-10.10.x.0 obj-10.10.x.0

Let me know. If this doesn't work then we can gather packet-tracer output.

-KS

New Member

Re: remote access vpn stopped working after upgrading to asa8.3.

well, it worked after i disabled those NAT configuration lines.  but i am not sure why.

anyways, i have 10+ sub interfaces, so there are hundreds of NAT lines added by the new 8.3.1.  (i think i only had 20 some NAT lines).  it will take me awhile to disable all of them.

thanks everyone.

357
Views
0
Helpful
2
Replies
CreatePlease to create content