Solved: asymmetric NAT failure

Josh Sprang · ‎03-25-2012

Iam having an Asymmetric NAT rule problem between VPN client and DMZ on a ASA 8.2(5). We used to have a two ASAs one for client VPN and one for the main firewall. In the old config the VPN client ASA routed the CVPN traffic through the network out the main firewall so it would be filtered via a content engine. As you guess split tunneling is disabled in both old and new configs. I recently clustered these two in an HA pair, terminated the VPN client on the cluster with the main firewalling, and used the route inside 0.0.0.0 0.0.0.0 10.100.18.1 (core router) tunneled command so the traffic would be routed through the core so it can be filtered when using the internet on C-VPN. Nat 0 and rules are carried over fine. Everything else works fine access to all inside resources and internet connectivity

Mar 25 2012 20:06:23 : %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src Outside:10.100.120.29 dst DMZ:10.100.150.105 (type 8, code 0) denied due to NAT reverse path failure

routes:

route Outside 10.100.120.0 255.255.255.0 INTERNET-RTR-Gateway

route inside 0.0.0.0 0.0.0.0 10.100.18.1 tunneled

Route Outside 0.0.0.0 0.0.0.0 INTERNET-RTR-Gateway

Route inside 10.0.0.0 255.0.0.0 10.100.18.1

Since it is tunneled do I need 10.100.120.0 on the inside?

The weird thing is the traffic to the internet is not dropped due to nat fail.

Ip reverse-path verify is disabled on all interfaces.

Jouni Forss · ‎03-26-2012

Hi,

You can apply ACLs to the VPN Client traffic straight on the ASA and not route it to inside network for that. Or did I get something totally wrong?

The simplest way would just to have the default route pointing towards outside. Also when adding "set reverse-route" to the "crypto map" configurations, the ASA would then inject a route for the VPN Client address pool to the ASA routing table when you have a user connected to the ASA via VPN.

If you need to do nat for Internet access you can always do it like this:

"nat (outside) 1 x.x.x.x y.y.y.y"

Also you can apply a filter ACL to your VPN Client connections so you can limit what type of connections they can take. For example allow DNS and HTTP/HTTPS freely but block access to some part of your internal network.

- Jouni

Jouni Forss · ‎03-26-2012

Hi,

You can apply ACLs to the VPN Client traffic straight on the ASA and not route it to inside network for that. Or did I get something totally wrong?

The simplest way would just to have the default route pointing towards outside. Also when adding "set reverse-route" to the "crypto map" configurations, the ASA would then inject a route for the VPN Client address pool to the ASA routing table when you have a user connected to the ASA via VPN.

If you need to do nat for Internet access you can always do it like this:

"nat (outside) 1 x.x.x.x y.y.y.y"

Also you can apply a filter ACL to your VPN Client connections so you can limit what type of connections they can take. For example allow DNS and HTTP/HTTPS freely but block access to some part of your internal network.

- Jouni

Josh Sprang · ‎03-26-2012

Jouni,

Thanks for the reply. reverse route is enabled. When I VPN in I see

S 10.100.120.26 255.255.255.255 [1/0] via INTERNET-RTR-Gateway, Outside

with a show route. The problem with your configuration is that all traffic needs to pass through a content engine attached to the inside interface per company policy.

I do not have a nat (outside) 1 because the traffic is supposed to be coming from the inside with the "tunneled" route right?

I am just having trouble understanding why when accessing DMZ resources the traffic is seen as "outside" all the sudden.