Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5505 SSL AnyConnect VPN & NAT Reverse Path Failure

I've been working on this for a while and just haven't come up with a solution yet.

I have a Cisco ASA5505 setup at home and I am trying to use the AnyConnect client to VPN to it.  I've followed the ASA 8.x Split-Tunnel example but I am still missing something.

My home network is 10.170.x.x and I've setup the VPN address pool to be 10.170.13.x  I have a running Windows workstation at 10.170.0.6, printers at 10.170.0.20 and 21 and the inside of the router itself is 10.170.0.1

I can connect from the outside and am assigned an IP address of 10.170.13.10 but when I try to access any LAN resources via ICMP or opening a web page, the ASDM log shows a bunch of this:

5|Jan 27 2010|10:33:37|305013|10.170.255.255|137|||Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 denied due to NAT reverse path failure
5|Jan 27 2010|10:33:36|305013|10.170.255.255|137|||Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 denied due to NAT reverse path failure
5|Jan 27 2010|10:33:35|305013|10.170.255.255|137|||Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 denied due to NAT reverse path failure
5|Jan 27 2010|10:33:34|305013|10.170.0.6||||Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.170.13.10 dst inside:10.170.0.6 (type 8, code 0) denied due to NAT reverse path failure
5|Jan 27 2010|10:33:30|305013|10.170.255.255|137|||Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 denied due to NAT reverse path failure
5|Jan 27 2010|10:33:29|305013|10.170.255.255|137|||Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 denied due to NAT reverse path failure
5|Jan 27 2010|10:33:28|305013|10.170.255.255|137|||Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 denied due to NAT reverse path failure
5|Jan 27 2010|10:33:28|305013|10.170.0.6||||Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.170.13.10 dst inside:10.170.0.6 (type 8, code 0) denied due to NAT reverse path failure
5|Jan 27 2010|10:33:23|305013|10.170.0.6||||Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.170.13.10 dst inside:10.170.0.6 (type 8, code 0) denied due to NAT reverse path failure
5|Jan 27 2010|10:33:17|305013|10.170.0.6||||Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.170.13.10 dst inside:10.170.0.6 (type 8, code 0) denied due to NAT reverse path failure
5|Jan 27 2010|10:33:13|305013|10.170.0.6||||Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.170.13.10 dst inside:10.170.0.6 (type 8, code 0) denied due to NAT reverse path failure
5|Jan 27 2010|10:33:07|305013|10.170.0.6||||Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.170.13.10 dst inside:10.170.0.6 (type 8, code 0) denied due to NAT reverse path failure

I've tried several things with NAT but haven't been able to get past this.  Would someone mind looking at my running config and helping me out with this?  Thanks a bunch!

-Tim

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: ASA5505 SSL AnyConnect VPN & NAT Reverse Path Failure

Couple things to check.

name 10.17.13.0 UFP-VPN-Pool  looks like it should be name 10.170.13.0 UFP-VPN-Pool

access-list inside_nat0_outbound extended permit ip Zero-List 255.255.0.0 UFP-VPN-Pool 255.255.255.0

looks like it should be

access-list inside_nat0_outbound extended permit ip Zero-List 255.255.255.0 UFP-VPN-Pool 255.255.255.0

4 REPLIES
New Member

Re: ASA5505 SSL AnyConnect VPN & NAT Reverse Path Failure

Couple things to check.

name 10.17.13.0 UFP-VPN-Pool  looks like it should be name 10.170.13.0 UFP-VPN-Pool

access-list inside_nat0_outbound extended permit ip Zero-List 255.255.0.0 UFP-VPN-Pool 255.255.255.0

looks like it should be

access-list inside_nat0_outbound extended permit ip Zero-List 255.255.255.0 UFP-VPN-Pool 255.255.255.0

New Member

Re: ASA5505 SSL AnyConnect VPN & NAT Reverse Path Failure

  Ugh!  I can't believe I missed that (10.17 instead of 10.170).

Changed it and it worked just fine.  Duh!

Thanks so much for catching that!

-Tim

New Member

Re: ASA5505 SSL AnyConnect VPN & NAT Reverse Path Failure

Tim

I just set this up on my new 5510 the other day and ran into the same issue.

Not terribly sure if this will fix it, but this is how I would do it to

clean it up just a tad:

no access-list inside_nat0_outbound extended permit ip Zero-List 255.255.0.0

UFP-VPN-Pool 255.255.255.0

access-list inside_nat0_outbound permit ip 10.170.0.0 255.255.0.0 10.170.0.0

255.255.0.0

no access-list split-tunnel standard permit Zero-List 255.255.255.0

access-list split-tunnel standard permit 10.170.0.0 255.255.0.0

no nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside) 1 access-list split-tunnel

Let me know the results of that and I can send you a copy of my config to

compare to if that doesnt work. There are also a lot of good resolutions to

common remote access issues at this link:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

James

On Wed, Jan 27, 2010 at 8:40 AM, timothy.garay <

New Member

Re: ASA5505 SSL AnyConnect VPN & NAT Reverse Path Failure

Thanks for the info.  At the moment, it looks like the lack of a "0" was the culprit.

I downloaded that PDF in case something else crops up.

-Tim

james.bastnagel wrote:

Tim

I just set this up on my new 5510 the other day and ran into the same issue.

Not terribly sure if this will fix it, but this is how I would do it to

clean it up just a tad:

no access-list inside_nat0_outbound extended permit ip Zero-List 255.255.0.0

UFP-VPN-Pool 255.255.255.0

access-list inside_nat0_outbound permit ip 10.170.0.0 255.255.0.0 10.170.0.0

255.255.0.0

no access-list split-tunnel standard permit Zero-List 255.255.255.0

access-list split-tunnel standard permit 10.170.0.0 255.255.0.0

no nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside) 1 access-list split-tunnel

Let me know the results of that and I can send you a copy of my config to

compare to if that doesnt work. There are also a lot of good resolutions to

common remote access issues at this link:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

James

On Wed, Jan 27, 2010 at 8:40 AM, timothy.garay <

14319
Views
0
Helpful
4
Replies