Solved: NAT Reverse Path Failure

John Apricena · ‎09-04-2014

Hello Guys,

We are having a VPN Issue between two ASAs over the web. These are both test environments but we need connectivity between the two to move lare amounts of data to and from. The ASA at Site 1 (ASA 1) is running 8.3 code and the ASA at Site 2 is running 8.2 code. The VPN comes online, but traffic will not reach. Site 2 Can Send but not receive and Site 1 can receive but not send. The only errors I got are on site 1 and that is the below

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.255.1.100 dst inside:172.16.1.20 (type 8, code 0) denied due to NAT reverse path failure

Site 1 is a flat network. There is an ASA used as the gateway but the local network is simply a flat Class B subnet. No extra VLANs or routing, just switches uplinked to eachother on the same subnet. The tursted network is 172.16.0.0 /16

Site 2 is a bit more complex. It has a Cisco ASA uplinked to an 6500 which hosts an FWSM. The networks that need to talk over the VPN sits behind the FWSM and is 10.255.1.0 /24. I've attached a diagram. The ASA at Site 2 does not have a link on the 10.255.1.0, but it has a route to reach it over the 10.255.255.x network. Currently ASA 2 can see the 10.255.1.0 network with no issues. We need this 10.255.1.0 network to reach the 172.16.0.0 network over the VPN at Site 1.

When traffic originates from site 2 the VPN comes up successfully, but traffic does not cross. I see the FWSM and ASA logs showing the traffic hitting both, so I am confident traffic is successfully leaving Site 2. Site one though is where I get the above error. When I originate the traffic from Site 1, I see nothing on the Site 2 ASA or FWSM. This seems to be a NAT issue on Site A ASAbut any configurations you would like me to post just let me know.

Thanks in advance to all who assist!

nkarthikeyan · ‎09-05-2014

Hi,

Do you have the crypto_acl matching at both ends? i mean it should be a mirrored acl's at both ends and do you have the no-nat rule configured for this?

Say at your site 1: ASA 8.3

access-list <crypto aclname> extended permit ip 172.16.0.0 255.255.0.0 10.255.1.0 255.255.255.0

object network locallan

subnet 172.16.0.0 255.255.0.0

object network remotelan

subnet 10.255.1.0 255.255.255.0

nat (inside,outside) source static locallan locallan destination static remotelan remote lan

Say at your site 2: ASA 8.2

access-list <crypto aclname> extended permit ip 10.255.1.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list no-nat extended permit ip 10.255.1.0 255.255.255.0 172.16.0.0 255.255.0.0

nat (inside) 0 access-list no-nat

Regards

Karthik

View solution in original post

nkarthikeyan · ‎09-05-2014

Hi,

Do you have the crypto_acl matching at both ends? i mean it should be a mirrored acl's at both ends and do you have the no-nat rule configured for this?

Say at your site 1: ASA 8.3

access-list <crypto aclname> extended permit ip 172.16.0.0 255.255.0.0 10.255.1.0 255.255.255.0

object network locallan

subnet 172.16.0.0 255.255.0.0

object network remotelan

subnet 10.255.1.0 255.255.255.0

nat (inside,outside) source static locallan locallan destination static remotelan remote lan

Say at your site 2: ASA 8.2

access-list <crypto aclname> extended permit ip 10.255.1.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list no-nat extended permit ip 10.255.1.0 255.255.255.0 172.16.0.0 255.255.0.0

nat (inside) 0 access-list no-nat

Regards

Karthik

John Apricena · ‎09-05-2014

Hi Karthik,

Thanks for the response back! I only see the below in on Site 1 as far as the commands you have. I am missing the nat (inside,outside) command. Do you think that one command may resolve the issue? The below is all I have.

object network remotelan
subnet 10.255.1.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 172.16.0.0 255.255.0.0 object remotelan

Should I add the following command?

nat (inside,outside) source static 172.16.0.0 255.255.0.0 destination static remotelan remote lan

John Apricena · ‎09-05-2014

Also, the site 2 ASA has NAT only configured for certain networks. There is not a default NAT statement for all traffic especially since this network is not hung directly off of it.

John Apricena · ‎09-08-2014

Thanks Kartnik! I emailed it over to you.

nkarthikeyan · ‎09-05-2014

Hi,

Its not advised to use object name in crypto acl and as well as in NAT statement..... you can paste as it is i have pasted... if your subnet info is correct in my configuration....

Site to Site VPN condition is each side should be having matching parameters..... crypto acl's should be a mirroring acl rule at each side.....

no-nat should there to exempt nating between local lan and remote lan.... your phase 1 and phase 2 configurations should match....

Regards

Karthik

John Apricena · ‎09-05-2014

Thanks again Karthnik.

I'll let you know if this resolves it.

John Apricena · ‎09-05-2014

Hi Karthrik,

The below is currently in place on Site 1 and I am still getting the same error. Can you advise on possible next steps or if you need more info from me? Thanks again for all your help with this.

access-list outside_1_cryptomap extended permit ip 172.16.0.0 255.255.0.0 object Nu_Age_Inside

object network locallan

subnet 172.16.0.0 255.255.0.0

object network remotelan

subnet 10.255.1.0 255.255.255.0

nat (inside,outside) source static locallan locallan destination static remotelan remotelan

nkarthikeyan · ‎09-07-2014

Hi,

In site 2 do you see the correct configuration as i said? Because if the NAT rule is not in place or not matching rule it fins it throws such error.... can you send me your both end configuration hashed out with secret information? Do you have any overlapping nat statement in place for this?

send to nkartheekeyan@hotmail.com

Regards

Karthik