Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

it
New Member

Asymetric NAT flows on VPN

I'm getting the following error in my ASDM syslog:

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.71.3.1 dst inside:10.1.10.4 (type 3, code 3) denied due to NAT reverse path failure

What's strange is that from host 10.1.10.4 I can ping 10.71.3.1 without a problem and vice versa from 10.71.3.1 to 10.1.10.4. So I have to assume that there's more going on here to cause this error.

Incidentally 10.1.10.4 is my server/network monitoring server and the asymmetric NAT error listed above only shows up when the monitoring server (10.1.10.4) tries to contact any non-Windows device on the 10.71.0.0 network.  The network monitor uses ping (ICMP) and SNMP to keep track of all the devices at the site.  However, on the monitoring server everything is green-lights and happiness with the Windows and non-Windows nodes.

Suggestions?

Thanks!

3 REPLIES
Cisco Employee

Re: Asymetric NAT flows on VPN

Hi,

It seems like for non-Windows hosts alone you get a Destination Unreachable message (Port unreachable) message. Also, since ICMP is stateless by default, the ASA does not maintain connection entries and hence these packets might be dropped. DO you have "inspect icmp" enabled on you ASA?

If not, add the command "fixup protocol icmp" and let me know how it goes!

Thanks and Regards,

Prapanch

it
New Member

Re: Asymetric NAT flows on VPN

I do have "inspect icmp" enabled.  Should I disable it and use the "fixup protocol icmp" command (which has been deprecated)?  Or just disable "inspect icmp" and leave it at that?

Thanks!

Cisco Employee

Re: Asymetric NAT flows on VPN

Hi,

You can leave it at that. Can you post your sanitized config here? Would like to see how NAT is configured and then maybe make suggestions on how to allow these packets.

Thanks and Regards,

Prapanch

387
Views
0
Helpful
3
Replies
CreatePlease to create content