Solved

ASA 5505 + Remote VPN traffic

Posted on 2011-03-06
4
1,372 Views
Last Modified: 2012-05-11
Hello,

I am having problems trying to get users to VPN into the main site and reach the remote site.  

                 Main Site Internet (Static)                                                       Remote Site Internet (DHCP)
                       |                                                                                                       |
                       |                                                                                                       |
Subnet ------ ASA --------Uplink ---------Wireless Bridge ------------- Uplink --------- ASA ---------Subnet



The error that I am getting is:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:172.30.3.104 dst uplink:192.168.100.50 (type 8, code 0) denied due to NAT reverse path failure


I do not see any logs at the remote site.  

Any ideas?



Main Site



: Saved
:
ASA Version 8.2(4)
!
hostname xxxx

names

!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 3
!
interface Ethernet0/5
 switchport access vlan 5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x
!
interface Vlan3
 nameif uplink
 security-level 100
 ip address 10.250.1.1 255.255.255.248
!
interface Vlan5
 no forward interface Vlan1
 nameif public
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa824-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list SPLIT standard permit 192.168.10.0 255.255.255.0
access-list SPLIT standard permit 192.168.100.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.10.0 255.255.255.0 172.30.3.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list NoNAT extended permit ip 172.30.3.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in remark ***For Exchange***
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq https
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list UplinkNoNAT extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 10.250.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 172.30.3.0 255.255.255.0  192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu public 1500
mtu uplink 1500
ip local pool vpn_pool 172.30.3.101-172.30.3.125 mask 255.255.255.0
no failover
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (public) 1 192.168.1.0 255.255.255.0
nat (uplink) 0 access-list UplinkNoNAT
nat (uplink) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.xxx 192.168.10.25 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 63.138.62.193 1
route uplink 172.30.3.0 255.255.255.0 10.250.1.2 2
route uplink 192.168.100.0 255.255.255.0 10.250.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set TunnelSec esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RemoteUser 10 set transform-set TunnelSec
crypto dynamic-map RemoteUser 10 set security-association lifetime seconds 288000
crypto dynamic-map RemoteUser 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map RemoteUser 10 set reverse-route
crypto map VPNConns 10 set peer <IP address>
crypto map VPNConns 10 set transform-set TunnelSec
crypto map VPNConns 10 set security-association lifetime seconds 28800
crypto map VPNConns 10 set security-association lifetime kilobytes 4608000
crypto map VPNConns 100 ipsec-isakmp dynamic RemoteUser
crypto map VPNConns interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 60
ssh xxx.xxx.xxx.xxx 255.255.255.128 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd option 43 ip 192.168.1.1
!
dhcpd address 192.168.1.100-192.168.1.200 public
dhcpd dns 8.8.8.8 8.8.4.4 interface public
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.5.2019-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
 dns-server value 192.168.10.22
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT
 default-domain value ms.seniorsfirstonline.com
 address-pools value vpn_pool
 webvpn
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask none default svc

tunnel-group RemoteUser type remote-access
tunnel-group RemoteUser general-attributes
 address-pool vpn_pool
tunnel-group SSLAccess type remote-access
tunnel-group SSLAccess general-attributes
 default-group-policy SSLVPN
tunnel-group SSLAccess webvpn-attributes
 group-alias RemoteUsers enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect dns preset_dns_map
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:757f542ca8903a10d889e89ca777701f
: end



---------------------

Remote


names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.100.2 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan3
 nameif uplink
 security-level 100
 ip address 10.250.1.2 255.255.255.248
!
boot system disk0:/asa824-k8.bin
ftp mode passive
dns server-group DefaultDNS
 name-server 192.168.10.22
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list NoNAT extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list NoNAT extended permit ip 192.168.100.0 255.255.255.0 172.30.3.0 255.255.255.0
access-list NoNAT extended permit ip 172.30.3.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 172.30.3.0 255.255.255.0  192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu uplink 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (uplink) 0 access-list UplinkNoNAT
nat (uplink) 1 0.0.0.0 0.0.0.0
route uplink 172.30.3.0 255.255.255.0 10.250.1.1 2
route uplink 192.168.10.0 255.255.255.0 10.250.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.100.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 60
ssh 74.39.247.128 255.255.255.128 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 192.168.10.22
dhcpd wins 192.168.10.22
dhcpd domain xxx
!
dhcpd address 192.168.100.104-192.168.100.180 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect dns preset_dns_map
  inspect icmp
!
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1ffd362cb9900b5168ce3c0cbc4e1b6d
0
Comment
Question by:mahrens007
  • 3
4 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
Comment Utility
Have a look at your nonat accesslists. Per device you only define the outgoing traffic which should be exempted from NAT
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Also at the main site config you have: route uplink 172.30.3.0 255.255.255.0 10.250.1.2 2

The 172.30.3.x addresses are at the outside interface (VPN clients) so that route should go.

I reread my first post and that isn't stated very well. The nat exempts (nat 0) set on an interface are for traffic coming in to that interface. There you define what outgoing traffic is exempted from NAT. So in to the interface and out the device.

For example main site:

access-list UplinkNoNAT extended permit ip 192.168.100.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 10.250.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list UplinkNoNAT extended permit ip 192.168.100.0 255.255.255.0 172.30.3.0 255.255.255.0

0
 
LVL 6

Author Closing Comment

by:mahrens007
Comment Utility
Yup, you were correct.  There was an ACL missing for the 192.168.100.x traffic to 172.30.3.x at the main site.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Glad I could help :) And of course thx for the points.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now