Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3688
  • Last Modified:

Connection denied due to NAT reverse path failure

I am putting in a second ASA location and can not get communicate across the VPN that is established. The error I get is (Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.72.14 dst inside:192.168.73.103 (type 0, code 0) denied due to NAT reverse path failure) when I try to ping from a host iinsde the 73 network to a host inside the 72 network.

I have mirrored the working VPN nat statements. I do see an ACL to a object group but don't see where it matters. Am I missing something obvious?

HOST:
ASA Version 8.3(1)
!
hostname 5510
!
interface Ethernet0/0
 description Outside interface
 nameif OUTSIDE
 security-level 0
 ip address 72.54.197.28 255.255.255.248
!
interface Ethernet0/1
 description Inside interface to internal network
 nameif INSIDE
 security-level 100
 ip address 192.168.72.2 255.255.255.0
!
boot system disk0:/asa831-k8.bin
same-security-traffic permit intra-interface
object network obj-192.168.72.0
 subnet 192.168.72.0 255.255.255.0
object network obj-192.168.74.0
 subnet 192.168.74.0 255.255.255.0
object network obj-192.168.72.100
 host 192.168.72.100
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj_any-01
 subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
 host 0.0.0.0
object network obj_any-02
 subnet 0.0.0.0 0.0.0.0
object network obj-192.168.73.0
 subnet 192.168.73.0 255.255.255.0
 description Rye
object-group service Citrix1494 tcp
 port-object eq citrix-ica
 port-object eq www
 port-object eq https
 port-object range 445 447
object-group network ValleywoodInternalNetwork
 network-object 192.168.72.0 255.255.255.0
access-list OUTSIDE_1_cryptomap extended permit ip object obj-192.168.72.0 object obj-192.168.74.0
access-list INSIDE_nat0_inbound extended permit ip 192.168.72.0 255.255.255.0 192.168.74.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.74.0 255.255.255.0 object-group ValleywoodInternalNetwork
access-list Outside-ACL extended permit tcp any host 192.168.72.100 object-group Citrix1494
access-list OUTSIDE_2_cryptomap extended permit ip object obj-192.168.72.0 object obj-192.168.73.0

nat (INSIDE,INSIDE) source static obj-192.168.72.0 obj-192.168.72.0 destination static obj-192.168.74.0 obj-192.168.74.0
nat (INSIDE,OUTSIDE) source static obj-192.168.72.0 obj-192.168.72.0 destination static obj-192.168.74.0 obj-192.168.74.0
nat (INSIDE,OUTSIDE) source static obj-192.168.72.0 obj-192.168.72.0 destination static obj-192.168.73.0 obj-192.168.73.0
nat (INSIDE,INSIDE) source static obj-192.168.72.0 obj-192.168.72.0 destination static obj-192.168.73.0 obj-192.168.73.0
!
object network obj-192.168.72.100
 nat (INSIDE,OUTSIDE) static 72.54.197.26
object network obj_any
 nat (INSIDE,OUTSIDE) dynamic interface
object network obj_any-01
 nat (INSIDE,OUTSIDE) dynamic obj-0.0.0.0
object network obj_any-02
 nat (management,OUTSIDE) dynamic obj-0.0.0.0
access-group Outside-ACL in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 72.54.197.25 100

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE_map 1 match address OUTSIDE_1_cryptomap
crypto map OUTSIDE_map 1 set pfs group1
crypto map OUTSIDE_map 1 set peer 72.54.178.126
crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_map 2 match address OUTSIDE_2_cryptomap
crypto map OUTSIDE_map 2 set pfs group1
crypto map OUTSIDE_map 2 set peer 69.15.200.138
crypto map OUTSIDE_map 2 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_map interface OUTSIDE
crypto isakmp identity hostname
crypto isakmp enable OUTSIDE
crypto isakmp enable INSIDE
crypto isakmp enable management
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

tunnel-group 72.54.178.126 type ipsec-l2l
tunnel-group 72.54.178.126 ipsec-attributes
 pre-shared-key *****
tunnel-group 69.15.200.138 type ipsec-l2l
tunnel-group 69.15.200.138 ipsec-attributes
 pre-shared-key *****
!



REMOTE:
: Saved
:
ASA Version 8.3(1)
!
hostname 5505

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.73.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.15.200.138 255.255.255.252
!

boot system disk0:/asa831-k8.bin

object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network 192.168.72.0
 subnet 192.168.72.0 255.255.255.0
 description Sixpines  
object network NETWORK_OBJ_192.168.73.0_24
 subnet 192.168.73.0 255.255.255.0
object network obj-192.168.73.0
 subnet 192.168.73.0 255.255.255.0
object network Sixpines
 subnet 192.168.72.0 255.255.255.0
object-group network SixpinesInternalNetwork
 network-object Sixpines 255.255.255.0
access-list outside_1_cryptomap extended permit ip object obj-192.168.73.0 object Sixpines

nat (dmz,outside) source static NETWORK_OBJ_192.168.73.0_24 NETWORK_OBJ_192.168.73.0_24 destination static 192.168.72.0 192.168.72.0
nat (inside,any) source static obj-192.168.73.0 obj-192.168.73.0 destination static Sixpines Sixpines
nat (inside,outside) source static obj-192.168.73.0 obj-192.168.73.0 destination static Sixpines Sixpines
!
object network obj_any
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 69.15.200.137 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 72.54.197.28
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

tunnel-group 72.54.197.28 type ipsec-l2l
tunnel-group 72.54.197.28 ipsec-attributes
 pre-shared-key *****
!
!

Any suggestions would be greatly apperciated
0
charlietaylor
Asked:
charlietaylor
  • 2
1 Solution
 
charlietaylorAuthor Commented:
no nat (dmz,outside) source static NETWORK_OBJ_192.168.73.0_24 NETWORK_OBJ_192.168.73.0_24 destination static 192.168.72.0 192.168.72.0
0
 
charlietaylorAuthor Commented:
8.3 issue with NAT and non route-able address's same as vpn
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now