11-01-2010 02:09 PM - edited 02-21-2020 04:56 PM
Good afternoon gents,
I have setup an ASA 5505 and can connect with anyconnect, but when I do, I can't access my LAN, where as my LAN can access my laptop. In the logs, I see the following error:
Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside;10.139.50.1/64506 dst inside 10.201.180.5/53 denied due to NAT reverse path failure.
I can't seem to figure this out and nothing I've read to try has worked. Here is the relevant config, any help would be GREATLY appreciated.
interface Vlan1
nameif inside
security-level 100
ip address 10.201.180.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 67.200.133.107 255.255.255.248
!
access-list inside_nat0_outbound extended permit ip 10.139.50.0 255.255.255.0 10.201.180.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.201.180.0 255.255.255.0 10.139.50.0 255.255.255.0
ip local pool SSLClientPool 10.139.50.1-10.139.50.50 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
Solved! Go to Solution.
11-01-2010 02:20 PM
Try the nat 0 statement without the outside key word.
nat (inside) 0 access-list inside_nat0_outbound
also,
do sh run sysopt and paste output.
Manish
11-01-2010 02:20 PM
Try the nat 0 statement without the outside key word.
nat (inside) 0 access-list inside_nat0_outbound
also,
do sh run sysopt and paste output.
Manish
11-01-2010 02:40 PM
Ok, I can access file shares now and remote to LAN members, it's not passing DNS or ICMP though. When I do the sh run sysopt I get nothing back.
11-01-2010 02:47 PM
Umm , it normally on by default but you can still issue the following command in global config mode :-
sysopt connection permit-vpn
This will make the vpn traffic by-pass the ACL's on the firewall. also check that your clients aren't running any personal firewall that is blocking ICMP.
Thanks
Manish
11-01-2010 02:55 PM
Thanks for the help!
11-01-2010 03:12 PM
Everything is working except for dns now. Any ideas on that? It is giving the internal DNS server as the dns server, it just doesn't seem to be resolving.
11-01-2010 03:18 PM
In the group-policy general attributes :-
default-domain value YOURDOMAIN.COM
thanks
Manish
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: