I now changed it to

ip local pool inshse-vpn-pool2 192.168.6.220-192.168.6.230 mask 255.255.255.0

but i get same looking errors

Oct 18 2012 01:16:20: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.6.220/51119 dst inside:10.10.10.52/53 denied due to NAT reverse path failure

Have you configured NAT exemption for traffic between 10.10.13.0 and 192.168.6.0?

which version of ASA are you running?

The version is 8.2.

I added:

nat (inside) 0 access-list nonatacl

access-list nonatacl extended permit ip 192.168.6.0 255.255.255.0 any

I still get the same error:

Oct 18 2012 01:37:34: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.6.220/64932 dst inside:10.10.10.52/53 denied due to NAT reverse path failure

192.168.6.0/24 should be the destination, not the source.

access-list nonatacl permit ip 10.10.13.0 255.255.255.0 192.168.6.0 255.255.255.0

nat (inside) 0 access-list nonatacl

Then "clear xlate", it should work after that.

I have added:

access-list nonatacl extended permit ip 10.10.13.0 255.255.255.0 192.168.6.0 255.255.255.0

I still get the same error. i get no hits in the acl.

access-list nonatacl line 8 extended permit ip 10.10.13.0 255.255.255.0 192.168.6.0 255.255.255.0 (hitcnt=0) 0x6ba60382

10.10.13.0 ---> is the inside network

can u pls share the full config, thx

I put in the important configs:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.0 standby x.x.x.x

ospf cost 10

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.13.5 255.255.255.0 standby 10.10.13.6

ospf cost 10

!

interface GigabitEthernet0/2

nameif dmz

security-level 50

no ip address

ospf cost 10

!

interface GigabitEthernet0/2.720

vlan 720

nameif dmz-vsp

security-level 50

ip address 172.24.0.1 255.255.255.0 standby 172.24.0.2

ospf cost 10

!

interface GigabitEthernet0/2.724

vlan 724

nameif dmz-dbz

security-level 75

ip address 172.24.4.1 255.255.255.0 standby 172.24.4.2

ospf cost 10

!

interface GigabitEthernet0/2.725

vlan 725

nameif dmz-smtp

security-level 50

ip address 172.24.5.1 255.255.255.0 standby 172.24.5.2

ospf cost 10

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.10.10.50

domain-name xxxx.local

access-list nonatacl extended permit ip 10.10.0.0 255.255.0.0 10.40.4.0 255.255.255.0

access-list nonatacl extended permit ip 172.16.0.0 255.255.0.0 10.40.4.0 255.255.255.0

access-list nonatacl extended permit ip 192.168.2.0 255.255.255.0 10.40.4.0 255.255.255.0

access-list nonatacl extended permit ip 192.168.3.0 255.255.255.0 10.40.4.0 255.255.255.0

access-list nonatacl extended permit ip 10.10.0.0 255.255.0.0 10.40.14.0 255.255.255.0

access-list nonatacl extended permit ip 10.10.13.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list nonatacl extended permit ip 10.10.10.0 255.255.255.0 10.10.13.0 255.255.255.0

access-list nonatacl extended permit ip 10.10.13.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list nonatacl extended permit ip 192.168.6.0 255.255.255.0 10.10.13.0 255.255.255.0

ip local pool inshse-vpn-pool2 192.168.6.220-192.168.6.230 mask 255.255.255.0

global (outside) 201 192.168.16.1-192.168.16.250

global (outside) 202 10.201.5.145-10.201.5.158

global (outside) 4 10.10.13.180-10.10.13.189 netmask 255.0.0.0

global (outside) 101 interface

global (outside) 1 x.x.x.x netmask 255.0.0.0

global (inside) 204 10.10.13.70-10.10.13.79 netmask 255.0.0.0

nat (inside) 0 access-list nonatacl

nat (inside) 201 access-list NAT_TO_IDP

nat (inside) 202 access-list inside2-vsp_nat_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

nat (dmz-vsp) 202 access-list dmz-vsp_nat_outbound

nat (dmz-vsp) 101 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 10.0.0.0 255.240.0.0 10.10.13.1 1

route inside 10.40.1.0 255.255.255.0 10.10.13.1 1

route inside 10.40.2.0 255.255.255.0 10.10.13.1 1

route inside 10.40.3.0 255.255.255.0 10.10.13.1 1

route inside 10.40.4.0 255.255.255.0 10.10.13.1 1

route inside 10.40.13.0 255.255.255.0 10.10.13.1 1

route inside 10.40.254.0 255.255.255.0 10.10.13.1 1

route inside 172.16.0.0 255.255.0.0 10.10.13.1 1

route inside 192.168.2.0 255.255.255.0 10.10.13.1 1

dynamic-access-policy-record DfltAccessPolicy

aaa-server VPN_Auth protocol radius

aaa-server VPN_Auth (inside) host 10.10.2.20

timeout 5

key *****

no mschapv2-capable

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map L2L_MAP 50 set reverse-route

crypto dynamic-map OUTSIDE_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 40 set pfs

crypto dynamic-map OUTSIDE_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 60 set pfs

crypto dynamic-map OUTSIDE_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 65535 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime seconds 288000

crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime kilobytes 4608000

crypto dynamic-map INSIDE_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 20 match address IDP_VPN

crypto map L2L_MAP 20 set peer x.x.x.x

crypto map L2L_MAP 20 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 40 match address cp_l2l_map_40

crypto map L2L_MAP 40 set peer x.x.x.x

crypto map L2L_MAP 40 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 60 match address nonatacl

crypto map L2L_MAP 60 set peer x.x.x.x

crypto map L2L_MAP 60 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 80 match address outside_80_cryptomap

crypto map L2L_MAP 80 set peer x.x.x.x

crypto map L2L_MAP 80 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map

crypto map L2L_MAP interface outside

crypto map INSIDE_map 65535 ipsec-isakmp dynamic INSIDE_dyn_map

crypto map INSIDE_map interface inside

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp enable dmz

crypto isakmp enable dmz-vsp

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

group-policy ihasavpn2_gp internal

group-policy ihasavpn2_gp attributes

dns-server value 10.10.10.52

vpn-tunnel-protocol IPSec

default-domain value xxxx.local

tunnel-group ihasavpn2 type remote-access

tunnel-group ihasavpn2 general-attributes

address-pool inshse-vpn-pool2

authentication-server-group VPN_Auth

authentication-server-group (inside) VPN_Auth

default-group-policy ihasavpn2_gp

tunnel-group ihasavpn2 ipsec-attributes

pre-shared-key *****

tunnel-group ihasavpn2 ppp-attributes

authentication ms-chap-v2

Pls remove the following:

access-list nonatacl extended permit ip 192.168.6.0 255.255.255.0 10.10.13.0 255.255.255.0

Also share the output of: show route | i 192.168.

i removed the that acl line.

show route | i 192.168.

S    192.168.2.0 255.255.255.0 [1/0] via 10.10.13.1, inside

where do you connect from? inside or outside?

i connect from the outside (public internet) using vpn client. 

Can you pls share the output of:

show cry ipsec sa

output:

There are no ipsec sas