Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Asymmetric NAT rules error

Hi Guys,

First my setup:

ASA Server 192.168.202.0 ------>easyvpn---->ASA 192.168.1.0

|

IPSec Client 192.168.21.0

i have a problem. I want to ping the 192.168.1.0 network from the software client. This doesn't work and this is the error in my log files:

Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:84.181.113.188/65535 dst inside:192.168.202.1/123 denied due to NAT reverse path failure

What do i need to solve this problem?

I have already this conf:

same-security-traffic permit intra-interface

access-list nat0_acl extended permit ip 192.168.21.0 255.255.255.0 192.168.1.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list no-nat

nat (inside) 1 192.168.202.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_in in interface outside

Everyone's tags (4)
6 REPLIES

Asymmetric NAT rules error

Hello,

I do not understand the diagram, are both Easy VPN clients and Ipsec clients on the outside world, or is the Easy vpn people behind the inside interface?

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Asymmetric NAT rules error

Hello,

and sorry for missing this detail. Here it is:

ASA Server 192.168.202.0 ------>easyvpn network extension mode---->ASA 192.168.1.0

static IP outside INET                                            dynamic IP outside INET

|

IPSec Client 192.168.21.0

dynamic IP outsideINET

Asymmetric NAT rules error

Hello Can,

So its like this:

         EASYVPN CLIENTS---------INSIDE----ASA----OUTSIDE----------------IPSEC CLIENTS

And you want to allow traffic from IpSec clients to the EASY vpn clients.

In this case you will need to no nat the traffic from the EASY VPN clients to the IPsec clients and then from the IPSec clients to the easy VPN clients.

Sorry for keep asking these but are the EASY VPN clients comming from the inside interface of the ASA and not the outside interface, I just want to make sure.

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Asymmetric NAT rules error

Sorry for my bad explanation:

so here we go. The IPSec Client are on the internet, connecting the ASA on the outside interface. And both ASA are making an EzVPN network on the outside interfaces. And i'm connecting the IPSec clinet to one ASA and i want to get in touch with the network behind the second ASA.

Asymmetric NAT rules error

Hello,

So  you want the IPsec clients to be able to talk to the network behind the other EasyVPN site. Is the other side the Easy VPN server?

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Asymmetric NAT rules error

Hi  Julio,

yes that the point. I want to connect all network areas including the one behind the EzVPN network.

I can connect the 192.168.202.0 with no problem from the ipsec clients. But i need to connect also to the 192.168.1.0 network.

Thanks a lot for your patience.

669
Views
0
Helpful
6
Replies