Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Asymmetric NAT rules

I'm trying to setup another ipsec VPN group and policy.  So far, I can connect with it, and I can ping the ASA 5505, but nothing else on the inside.  The funny thing is, I've got another group and policy setup that works fine.  I've tried to emulate it but I can't figure out what I'm doing wrong.  I'm getting this error in the log:

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.4.71.104 dst inside:10.4.70.2 (type 8, code 0) denied due to NAT reverse path failure.

Attached is a network diagram.  Thanks for your help.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Asymmetric NAT rules

Andy,

Yes 8.3 does make a difference

Well I can suggest quite a few ways out of this.

And this is what you need to add ... sort of nat exemption from previous versions.

nat (inside,any) source static obj-10.4.70.0 obj-10.4.70.0 destination static obj-10.4.71.0 obj-10.4.71.0

edit: Corrected IP addresses. if 10.4.70.0/24 is local and 10.4.71 remote you need to add an exemption here.

7 REPLIES
Cisco Employee

Re: Asymmetric NAT rules

Andy,

Attach

------

show run nat

sh run global

sh run static

------

(and access-lists mentioned in sh run nat command)

Also tell us which subnets are local and remote (also in case of "working fine" scenario)

Marcin

New Member

Re: Asymmetric NAT rules

Attached is the "show run nat" command's output.  "sh run global" and "sh run static" do not work.  The commands appear to not exist.  I must mention that I am running 8.3(1) on an ASA 5505, if that makes a difference.  10.4.70.0/24 is the subnet on the inside I'm trying to reach.  The VPN pool is using 10.4.71.0/24.  The VPN group that works uses a VPN pool that consists of 10.4.17.248/29. 

Cisco Employee

Re: Asymmetric NAT rules

Andy,

Yes 8.3 does make a difference

Well I can suggest quite a few ways out of this.

And this is what you need to add ... sort of nat exemption from previous versions.

nat (inside,any) source static obj-10.4.70.0 obj-10.4.70.0 destination static obj-10.4.71.0 obj-10.4.71.0

edit: Corrected IP addresses. if 10.4.70.0/24 is local and 10.4.71 remote you need to add an exemption here.

New Member

Re: Asymmetric NAT rules

That's exactly what I needed!  Looking at it now, I should have come up with it on my own.  I'll be sure to remember this in the future.

Thanks so much!

New Member

Re: Asymmetric NAT rules

Thank you for this post as it helped me as well.

I am running an ASA with 8.4 code.

However, I do have a concern.  I setup a VPN site to site between a Firebox and an ASA using the VPN site to site wizard and a "NAT exception" was not added for the two internal networks to speak to each other.  I had to troubleshoot the Asymmetric errors that were appearing.  Why wouldn't the ASA wizard account for this rule creation?

Thank you.

Cisco Employee

Re: Asymmetric NAT rules

Hi,

Well it looks like a possible bug/enhancement in ASDM rathen than ASA, would you be able to open a case with TAC for this?

Marcin

New Member

Re: Asymmetric NAT rules

Yes, will do.  Thank you.

5249
Views
0
Helpful
7
Replies
CreatePlease to create content