Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Asymmetric NAT rules matched for forward and reverse flows

Hi! I don't know why this comes up in the logs when I have configured my vpn like so:

crypto dynamic-map L2L_MAP 50 set reverse-route

crypto dynamic-map OUTSIDE_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 40 set pfs

crypto dynamic-map OUTSIDE_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 60 set pfs

crypto dynamic-map OUTSIDE_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 65535 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime seconds 288000

crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime kilobytes 4608000

crypto dynamic-map INSIDE_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 20 match address IDP_VPN

crypto map L2L_MAP 20 set peer x.x.x.x

crypto map L2L_MAP 20 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 40 match address cp_l2l_map_40

crypto map L2L_MAP 40 set peer x.x.x.x

crypto map L2L_MAP 40 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 60 match address bwi_l2l

crypto map L2L_MAP 60 set peer x.x.x.x

crypto map L2L_MAP 60 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 80 match address outside_80_cryptomap

crypto map L2L_MAP 80 set peer x.x.x.x

crypto map L2L_MAP 80 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map

crypto map L2L_MAP interface outside

crypto map INSIDE_map 65535 ipsec-isakmp dynamic INSIDE_dyn_map

crypto map INSIDE_map interface inside

******

I am able to connect successfully via vpn client.  Its just that i cant reach the internal servers...  Any ideas?

i get this error:

Oct 18 2012 00:52:37: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.10.13.221/137 dst inside:10.10.13.255/137 denied

29 REPLIES
Cisco Employee

Asymmetric NAT rules matched for forward and reverse flows

What is your VPN pool subnet? Pls configure a unique subnet which is not the same subnet as your inside network.

Also have you configure NAT exemption for those traffic?

Community Member

Asymmetric NAT rules matched for forward and reverse flows

I now changed it to

ip local pool inshse-vpn-pool2 192.168.6.220-192.168.6.230 mask 255.255.255.0

but i get same looking errors

Oct 18 2012 01:16:20: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.6.220/51119 dst inside:10.10.10.52/53 denied due to NAT reverse path failure

Cisco Employee

Asymmetric NAT rules matched for forward and reverse flows

Have you configured NAT exemption for traffic between 10.10.13.0 and 192.168.6.0?

which version of ASA are you running?

Community Member

Asymmetric NAT rules matched for forward and reverse flows

The version is 8.2.

I added:

nat (inside) 0 access-list nonatacl

access-list nonatacl extended permit ip 192.168.6.0 255.255.255.0 any

I still get the same error:

Oct 18 2012 01:37:34: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:192.168.6.220/64932 dst inside:10.10.10.52/53 denied due to NAT reverse path failure

Cisco Employee

Asymmetric NAT rules matched for forward and reverse flows

192.168.6.0/24 should be the destination, not the source.

access-list nonatacl permit ip 10.10.13.0 255.255.255.0 192.168.6.0 255.255.255.0

nat (inside) 0 access-list nonatacl

Then "clear xlate", it should work after that.

Community Member

Asymmetric NAT rules matched for forward and reverse flows

I have added:

access-list nonatacl extended permit ip 10.10.13.0 255.255.255.0 192.168.6.0 255.255.255.0

I still get the same error. i get no hits in the acl.

access-list nonatacl line 8 extended permit ip 10.10.13.0 255.255.255.0 192.168.6.0 255.255.255.0 (hitcnt=0) 0x6ba60382

10.10.13.0 ---> is the inside network

Cisco Employee

Asymmetric NAT rules matched for forward and reverse flows

can u pls share the full config, thx

Community Member

Re: Asymmetric NAT rules matched for forward and reverse flows

I put in the important configs:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.0 standby x.x.x.x

ospf cost 10

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.13.5 255.255.255.0 standby 10.10.13.6

ospf cost 10

!

interface GigabitEthernet0/2

nameif dmz

security-level 50

no ip address

ospf cost 10

!

interface GigabitEthernet0/2.720

vlan 720

nameif dmz-vsp

security-level 50

ip address 172.24.0.1 255.255.255.0 standby 172.24.0.2

ospf cost 10

!

interface GigabitEthernet0/2.724

vlan 724

nameif dmz-dbz

security-level 75

ip address 172.24.4.1 255.255.255.0 standby 172.24.4.2

ospf cost 10

!

interface GigabitEthernet0/2.725

vlan 725

nameif dmz-smtp

security-level 50

ip address 172.24.5.1 255.255.255.0 standby 172.24.5.2

ospf cost 10

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.10.10.50

domain-name xxxx.local

access-list nonatacl extended permit ip 10.10.0.0 255.255.0.0 10.40.4.0 255.255.255.0

access-list nonatacl extended permit ip 172.16.0.0 255.255.0.0 10.40.4.0 255.255.255.0

access-list nonatacl extended permit ip 192.168.2.0 255.255.255.0 10.40.4.0 255.255.255.0

access-list nonatacl extended permit ip 192.168.3.0 255.255.255.0 10.40.4.0 255.255.255.0

access-list nonatacl extended permit ip 10.10.0.0 255.255.0.0 10.40.14.0 255.255.255.0

access-list nonatacl extended permit ip 10.10.13.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list nonatacl extended permit ip 10.10.10.0 255.255.255.0 10.10.13.0 255.255.255.0

access-list nonatacl extended permit ip 10.10.13.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list nonatacl extended permit ip 192.168.6.0 255.255.255.0 10.10.13.0 255.255.255.0

ip local pool inshse-vpn-pool2 192.168.6.220-192.168.6.230 mask 255.255.255.0

global (outside) 201 192.168.16.1-192.168.16.250

global (outside) 202 10.201.5.145-10.201.5.158

global (outside) 4 10.10.13.180-10.10.13.189 netmask 255.0.0.0

global (outside) 101 interface

global (outside) 1 x.x.x.x netmask 255.0.0.0

global (inside) 204 10.10.13.70-10.10.13.79 netmask 255.0.0.0

nat (inside) 0 access-list nonatacl

nat (inside) 201 access-list NAT_TO_IDP

nat (inside) 202 access-list inside2-vsp_nat_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

nat (dmz-vsp) 202 access-list dmz-vsp_nat_outbound

nat (dmz-vsp) 101 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 10.0.0.0 255.240.0.0 10.10.13.1 1

route inside 10.40.1.0 255.255.255.0 10.10.13.1 1

route inside 10.40.2.0 255.255.255.0 10.10.13.1 1

route inside 10.40.3.0 255.255.255.0 10.10.13.1 1

route inside 10.40.4.0 255.255.255.0 10.10.13.1 1

route inside 10.40.13.0 255.255.255.0 10.10.13.1 1

route inside 10.40.254.0 255.255.255.0 10.10.13.1 1

route inside 172.16.0.0 255.255.0.0 10.10.13.1 1

route inside 192.168.2.0 255.255.255.0 10.10.13.1 1

dynamic-access-policy-record DfltAccessPolicy

aaa-server VPN_Auth protocol radius

aaa-server VPN_Auth (inside) host 10.10.2.20

timeout 5

key *****

no mschapv2-capable

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map L2L_MAP 50 set reverse-route

crypto dynamic-map OUTSIDE_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 40 set pfs

crypto dynamic-map OUTSIDE_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 60 set pfs

crypto dynamic-map OUTSIDE_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 65535 set transform-set ESP-3DES-SHA

crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime seconds 288000

crypto dynamic-map OUTSIDE_dyn_map 65535 set security-association lifetime kilobytes 4608000

crypto dynamic-map INSIDE_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 20 match address IDP_VPN

crypto map L2L_MAP 20 set peer x.x.x.x

crypto map L2L_MAP 20 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 40 match address cp_l2l_map_40

crypto map L2L_MAP 40 set peer x.x.x.x

crypto map L2L_MAP 40 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 60 match address nonatacl

crypto map L2L_MAP 60 set peer x.x.x.x

crypto map L2L_MAP 60 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 80 match address outside_80_cryptomap

crypto map L2L_MAP 80 set peer x.x.x.x

crypto map L2L_MAP 80 set transform-set ESP-3DES-SHA

crypto map L2L_MAP 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map

crypto map L2L_MAP interface outside

crypto map INSIDE_map 65535 ipsec-isakmp dynamic INSIDE_dyn_map

crypto map INSIDE_map interface inside

crypto isakmp enable outside

crypto isakmp enable inside

crypto isakmp enable dmz

crypto isakmp enable dmz-vsp

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

group-policy ihasavpn2_gp internal

group-policy ihasavpn2_gp attributes

dns-server value 10.10.10.52

vpn-tunnel-protocol IPSec

default-domain value xxxx.local

tunnel-group ihasavpn2 type remote-access

tunnel-group ihasavpn2 general-attributes

address-pool inshse-vpn-pool2

authentication-server-group VPN_Auth

authentication-server-group (inside) VPN_Auth

default-group-policy ihasavpn2_gp

tunnel-group ihasavpn2 ipsec-attributes

pre-shared-key *****

tunnel-group ihasavpn2 ppp-attributes

authentication ms-chap-v2

Cisco Employee

Re: Asymmetric NAT rules matched for forward and reverse flows

Pls remove the following:

access-list nonatacl extended permit ip 192.168.6.0 255.255.255.0 10.10.13.0 255.255.255.0

Also share the output of: show route | i 192.168.

Community Member

Re: Asymmetric NAT rules matched for forward and reverse flows

i removed the that acl line.

show route | i 192.168.

S    192.168.2.0 255.255.255.0 [1/0] via 10.10.13.1, inside

Cisco Employee

Re: Asymmetric NAT rules matched for forward and reverse flows

where do you connect from? inside or outside?

Community Member

Re: Asymmetric NAT rules matched for forward and reverse flows

i connect from the outside (public internet) using vpn client. 

Cisco Employee

Re: Asymmetric NAT rules matched for forward and reverse flows

Can you pls share the output of:

show cry ipsec sa

Community Member

Re: Asymmetric NAT rules matched for forward and reverse flows

output:

There are no ipsec sas

Cisco Employee

Re: Asymmetric NAT rules matched for forward and reverse flows

Errr, are you connected to your VPN Client when you take the output?

Community Member

Re: Asymmetric NAT rules matched for forward and reverse flows

I am connected via ssh and in the CLI of the asa.

Cisco Employee

Re: Asymmetric NAT rules matched for forward and reverse flows

You would need to connect to the VPN Client, and try to access the internal network to see if it's successful.

Then connect to SSH and grab those output if it's still not working.

Community Member

Re: Asymmetric NAT rules matched for forward and reverse flows

Thats the thing...  I get authenticated successfully by the vpn client but once i'm connected i cannot ssh, RDP ro any servers or access anything.

Cisco Employee

Re: Asymmetric NAT rules matched for forward and reverse flows

Add this command:

crypto isakmp nat-traversal 30

management-access inside

access-list split-acl permit 10.10.13.0 255.255.255.0

group-policy ihasavpn2_gp attributes

  split-tunnel-policy tunnelspecified

  split-tunnel-network-list value split-acl

Then connect to vpn client and see if you can access anything. Also try to ping 10.10.13.5

Community Member

Re: Asymmetric NAT rules matched for forward and reverse flows

Oct 18 2012 07:46:48: %ASA-6-737026: IPAA: Client assigned 192.168.6.220 from local pool

Oct 18 2012 07:46:48: %ASA-7-713906: Group = ihasavpn2, Username = jtescon, IP = 222.127.16.228, Obtained IP addr (192.168.6.220) prior to initiating Mode Cfg (XAuth enabled)

Oct 18 2012 07:46:48: %ASA-6-713228: Group = ihasavpn2, Username = jtescon, IP = 222.127.16.228, Assigned private IP address 192.168.6.220 to remote user

192.168.6.220

Oct 18 2012 07:46:49: %ASA-7-713025: Group = ihasavpn2, Username = jtescon, IP = 222.127.16.228, Received remote Proxy Host data in ID Payload:  Address 192.168.6.220, Protocol 0, Port 0

Oct 18 2012 07:46:49: %ASA-7-713222: Group = ihasavpn2, Username = jtescon, IP = 222.127.16.228, Static Crypto Map check, map = L2L_MAP, seq = 20, ACL does not match proxy IDs src:192.168.6.220 dst:0.0.0.0

Oct 18 2012 07:46:49: %ASA-7-713222: Group = ihasavpn2, Username = jtescon, IP = 222.127.16.228, Static Crypto Map check, map = L2L_MAP, seq = 40, ACL does not match proxy IDs src:192.168.6.220 dst:0.0.0.0

Oct 18 2012 07:46:49: %ASA-7-713222: Group = ihasavpn2, Username = jtescon, IP = 222.127.16.228, Static Crypto Map check, map = L2L_MAP, seq = 60, ACL does not match proxy IDs src:192.168.6.220 dst:0.0.0.0

Oct 18 2012 07:46:49: %ASA-7-713222: Group = ihasavpn2, Username = jtescon, IP = 222.127.16.228, Static Crypto Map check, map = L2L_MAP, seq = 80, ACL does not match proxy IDs src:192.168.6.220 dst:0.0.0.0

  Remote host: 192.168.6.220  Protocol 0  Port 0

Oct 18 2012 07:46:49: %ASA-7-609001: Built local-host outside:192.168.6.220

Oct 18 2012 07:46:49: %ASA-7-713204: Group = ihasavpn2, Username = jtescon, IP = 222.127.16.228, Adding static route for client address: 192.168.6.220

Oct 18 2012 07:49:09: %ASA-3-313001: Denied ICMP type=8, code=0 from 192.168.6.220 on interface outside

Oct 18 2012 07:49:14: %ASA-3-313001: Denied ICMP type=8, code=0 from 192.168.6.220 on interface outside

Oct 18 2012 07:49:19: %ASA-3-313001: Denied ICMP type=8, code=0 from 192.168.6.220 on interface outside

Oct 18 2012 07:49:24: %ASA-3-313001: Denied ICMP type=8, code=0 from 192.168.6.220 on interface outside

Oct 18 2012 07:50:10: %ASA-7-710005: TCP request discarded from 192.168.6.220/24783 to outside:10.10.13.5/22

Oct 18 2012 07:50:13: %ASA-7-710005: TCP request discarded from 192.168.6.220/24783 to outside:10.10.13.5/22

Community Member

Re: Asymmetric NAT rules matched for forward and reverse flows

thats the result from logs when i added the split tunnel

Cisco Employee

Re: Asymmetric NAT rules matched for forward and reverse flows

It's difficult not to see the whole config, as there might be overlapping ACL, or other configuration that might block the access.

Community Member

Re: Asymmetric NAT rules matched for forward and reverse flows

well, it was worth a shot   thanks for your help though.. tho one thing to note i accidentally made overlapped some config

in the crypto and it worked altho it tore down all the l2l vpns configured:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000

crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp nat-traversal

it sortof replaced "crypto map L2L_MAP interface outside" and it worked but the rest of the site to site VPNs didnt work so i had to revert back.

i was wondering if it conflicted somewhere.  or maybe i have to place a

nat (outside) 1 192.168.6.0 255.255.255.0  --> does do anything?

Cisco Employee

Re: Asymmetric NAT rules matched for forward and reverse flows

If it works when you have it before, then it's definitely overlapping crypto ACL. Check and make sure that you don't have any overlapping crypto ACL with 192.168.6.0/24. If you do, then change the pool to a different subnet (unique subnet).

You can remove: nat (outside) 1 192.168.6.0 255.255.255.0, as you don't need that.

Community Member

Re: Asymmetric NAT rules matched for forward and reverse flows

Thanks Jennifer i really appreciate your help.  It was a good try...

Cisco Employee

Re: Asymmetric NAT rules matched for forward and reverse flows

Is it working now?

Community Member

Asymmetric NAT rules matched for forward and reverse flows

Unfortunately it still isn't...

Community Member

object network Remote_Subnet

object network Remote_Subnet
subnet 192.168.6.0 255.255.255.0

nat (Inside,Outside) source static any any destination static Remote_Subnet Remote_Subnet no-proxy-arp route-lookup

Community Member

Re: object network Remote_Subnet


shyleshkodiyath wrote:

object network Remote_Subnet
subnet 192.168.6.0 255.255.255.0

nat (Inside,Outside) source static any any destination static Remote_Subnet Remote_Subnet no-proxy-arp route-lookup


You are awesome! I have been trying to figure this out for a month! I ran accross this post and switched out my vpn subnet and ran the commands above and it immeediatly fixed my problem! I cannot thank you enough! The 3 commands were all I applied btw. I didnt even have to log out of my current VPN session:)

37631
Views
15
Helpful
29
Replies
CreatePlease to create content