Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Asymmetric NAT rules matched fo rforward and reverse flows

Hi everybody, i have a problem with a Site-to Site VPN connection between two ASA 5505 (ASA 8.2, ASDM 6.2) and i hope someone can help me. I have build the configuration on both devices (http://cisco.biz/en/US/docs/security/asa/asa82/getting_started/asa5580/quick/guide/sitvpn.html#wp1044213) . Under "Specifying Hosts and Networks / Remote Network" i use not the external ip of remote Site, i use the internal networks ( 10.0.1.0 and 10.0.2.0 ). I need connetion to two remote internal networks ( from 10.0.0.0 to 10.0.1.0 and 10.0.2.0 ). The Tunnel (Phase1 and Phase 2) comes up when i ping a host of the second (10.0.2.x) remote network, but a ping is not possible. Syslog says "Asymmetric NAT rules matched for forward and reverseflows; Connection for icmp src outside: 10.0.0.x dst dmz:10.0.1.x (type8, code 0) denied due to NAT reverse path failure ". On both Sites VPN connetions with Cisco VPN Clients are possible. Thanks to everyone for any ideas and help.

Everyone's tags (2)
5 REPLIES

Re: Asymmetric NAT rules matched fo rforward and reverse flows

Hi,

For the site-to-site tunnel you should avoid NAT for the interesting traffic in both sites.

i.e

Site A internal LAN 10.1.1.0/24

Site B internal LAN 10.1.2.0/24

Site A configuration for NAT:

access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

nat (inside) 0 access-list nonat

Site B configuration for NAT:

access-list nonat permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list nonat

VPN Configuration:

Site A:

access-list vpn permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

Site B:

access-list vpn permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0

The above configuration allows communication between the internal sites on both sides without doing NAT for that traffic.

Is that how you have your configuration?

Federico.

Community Member

Re: Asymmetric NAT rules matched fo rforward and reverse flows

Thanks to all of you. The example of Federico Coto Fajardo: "access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.2.0  255.255.255.0"

has shown me my Problem, thank you very mutch.

Re: Asymmetric NAT rules matched fo rforward and reverse flows

Glad I could help.

Please rate the threat if you find it helpful.

Federico.

Cisco Employee

Re: Asymmetric NAT rules matched fo rforward and reverse flows

Hi,

Please attach the outputs of "show run nat", "show run global" and "show run static" from both the ASAs?

Regards,

Prapanch

Community Member

Re: Asymmetric NAT rules matched fo rforward and reverse flows

Hi Frederico,

Is the below configuration part of the crypto map ACL

VPN Configuration:

Site A:

access-list vpn permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

Site B:

access-list vpn permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0

I am experiencing this error on Site B ASA when for e.g. Site A inside host initiates a connection to Site B inside host.

How should the NAT0 ACLs in this case be. The 'inside to outside communication' are already defined against NAT0. But I am getting this error for 'outside to inside host communication'.

Please advise.

Thanks.

1314
Views
0
Helpful
5
Replies
CreatePlease to create content