2 Replies Latest reply: Feb 13, 2012 9:47 PM by StevenB RSS

    Connection denied due to NAT reverse path failure

    StevenB

      I'm hoping someone here might be able to help me.  I have my ASA 5505 set up and can establish a VPN tunnel using Anyconnect, but I can't access any of the resources on the tunneled network.

       

      10.1.1.0/24 --> ASA --> outside

       

      The log entry I see is:

      5     Feb 13 2012     01:34:58     305013     10.1.1.40                 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.1.1.129 dst inside:10.1.1.40 (type 8, code 0) denied due to NAT reverse path failure

       

      I'm trying to ping 10.1.1.40 from my Anyconnect client (10.1.1.129) and cannot get a response.  My running config is pasted below.  I've seen several solutions for this problem but none have worked for me yet.  Any suggestions would be helpful.

       

      !

      ASA Version 8.2(2)

      !

      hostname ciscoasa

      domain-name default.domain.invalid

      enable password EYuO0kfXeiLAnhnG encrypted

      passwd EYuO0kfXeiLAnhnG encrypted

      names

      name 10.1.1.252 GogarNAS description Central Network Storage Server

      ddns update method dyndns

      ddns both

      !

      !

      interface Vlan1

      nameif inside

      security-level 100

      ip address 10.1.1.1 255.255.255.0

      !

      interface Vlan2

      nameif outside

      security-level 0

      ddns update hostname foo.bar

      ddns update dyndns

      ip address dhcp setroute

      !

      interface Ethernet0/0

      switchport access vlan 2

      !

      interface Ethernet0/1

      !

      interface Ethernet0/2

      !

      interface Ethernet0/3

      !

      interface Ethernet0/4

      !

      interface Ethernet0/5

      !

      interface Ethernet0/6

      !

      interface Ethernet0/7

      !

      boot system disk0:/asa822-k8.bin

      ftp mode passive

      clock timezone EST -5

      clock summer-time EDT recurring

      dns domain-lookup outside

      dns server-group DefaultDNS

      name-server 10.1.1.1

      name-server 4.2.2.2

      name-server 8.8.8.8

      domain-name default.domain.invalid

      object-group service GogarNasSSH tcp

      description Outside Port for Secure Shell Access to GogarNAS

      port-object eq 2222

      access-list outside_access_in remark FTP access

      access-list outside_access_in extended permit tcp any interface outside eq ftp

      access-list outside_access_in remark Secure Web access to GogarNas

      access-list outside_access_in extended permit tcp any interface outside eq https

      access-list outside_access_in remark Unsecure Web access to GogarNas

      access-list outside_access_in extended permit tcp any interface outside eq www

      access-list outside_access_in remark Secure Shell to GogarNAS

      access-list outside_access_in extended permit tcp any interface outside object-group GogarNasSSH

      access-list split_tunnel_list remark local network behind ASA

      access-list split_tunnel_list standard permit 10.1.1.0 255.255.255.0

      access-list inside_nat0_outbound remark NAT rule for VPN users

      access-list inside_nat0_outbound extended permit ip 10.1.1.128 255.255.255.192 10.1.1.0 255.255.255.0

      pager lines 24

      logging enable

      logging asdm informational

      logging ftp-bufferwrap

      logging ftp-server GogarNAS logs ftpuser ftppass

      mtu inside 1500

      mtu outside 1500

      ip local pool SSLClientPool 10.1.1.129-10.1.1.160 mask 255.255.255.0

      icmp unreachable rate-limit 1 burst-size 1

      asdm image disk0:/asdm-625.bin

      asdm location GogarNAS 255.255.255.255 inside

      no asdm history enable

      arp timeout 14400

      nat-control

      global (outside) 1 interface

      nat (inside) 0 access-list inside_nat0_outbound

      nat (inside) 1 0.0.0.0 0.0.0.0

      static (inside,outside) tcp interface ftp GogarNAS ftp netmask 255.255.255.255

      static (inside,outside) tcp interface https GogarNAS 5001 netmask 255.255.255.255

      static (inside,outside) tcp interface www GogarNAS 5000 netmask 255.255.255.255

      static (inside,outside) tcp interface 2222 GogarNAS ssh netmask 255.255.255.255

      access-group outside_access_in in interface outside

      timeout xlate 3:00:00

      timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

      timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

      timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

      timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

      timeout tcp-proxy-reassembly 0:01:00

      dynamic-access-policy-record DfltAccessPolicy

      webvpn

        svc ask none default svc

      http server enable

      http 10.1.1.0 255.255.255.0 inside

      no snmp-server location

      no snmp-server contact

      snmp-server enable traps snmp authentication linkup linkdown coldstart

      crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

      crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

      crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

      crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

      crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

      crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

      crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

      crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

      crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

      crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

      crypto ipsec security-association lifetime seconds 28800

      crypto ipsec security-association lifetime kilobytes 4608000

      crypto dynamic-map DYNAMIC-MAP 5 set transform-set ESP-AES-128-SHA

      crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

      crypto map OUTSIDE_MAP 65530 ipsec-isakmp dynamic DYNAMIC-MAP

      crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

      crypto map outside_map interface outside

      crypto ca trustpoint ASDM_TrustPoint0

      enrollment self

      fqdn foo.bar

      subject-name CN=foo.bar

      keypair GogarSSLVPNKeyPair

      crl configure

      crypto ca certificate chain ASDM_TrustPoint0

      certificate 38610b4e

          306201ff 30820168 a0030201 02020438 610b4e30 0d06092a 864886f7 0d010105

          05003044 311d301b 06035504 03131466 75646162 75736869 2e64796e 646e732e

          6f726731 23352106 092a8648 86f70d01 09021614 66856461 62757368 692e6479

          6e646e73 2e6f7267 301e170d 31399036 32393137 33303332 5a170d32 31303632

          36313733 3033325a 3044311d 301b0603 55040313 14667564 61627573 68692e64

          796e646e 732e6f72 67312330 2106092a 864886f7 0d010902 16146675 64616275

          7368692e 64796e64 6e732e6f 72673081 9f300d06 092a8648 86f70d01 01010500

          03818d00 30818902 81810094 39c910ee 1d9ce3bb abb26fb9 58883059 5c3c4578

          6ef68697 fc23080c 72c91dc4 3b07c349 82ca3271 79a8dc1d bf6560b9 870290ae

          000d71ac b1259dec 8b32a12e 37790fe1 b1a7a348 f425f0c2 df499be0 915d28a1

          b1587020 e1748f20 7c6824ba cef1c991 0a15aa3a dacdff3e 47999cce 2fc3a7c7

          6ed826ec cb02c952 149dd302 03010001 300d0609 2a864886 f70d0101 05050003

          81810061 4301d14b 0080eafa 7f83890a a7dd5216 c3719ffa 5a4f0aa1 c3005871

          74944c7c 6829ba6d 3eba42ee c477af19 c7471060 06394c24 c4920814 ab115b56

          a0107c94 e0a0725e 2045e802 690e1e88 6c82922d 40010a01 8adcccfc 4acdc493

          f138ec74 7b96d3cd 047e8dbf 102f87f3 75e06e9c 1f190be9 b05e0fec b07fdcf8 644482

        quit

      crypto isakmp enable outside

      crypto isakmp policy 10

      authentication pre-share

      encryption aes-256

      hash sha

      group 5

      lifetime 86400

      no crypto isakmp nat-traversal

      telnet 10.0.0.0 255.0.0.0 inside

      telnet 0.0.0.0 0.0.0.0 inside

      telnet timeout 5

      ssh timeout 5

      console timeout 0

      dhcp-client client-id interface outside

      dhcpd dns 10.1.1.1 4.2.2.2

      dhcpd auto_config outside

      !

      dhcpd address 10.1.1.5-10.1.1.100 inside

      dhcpd enable inside

      !

      threat-detection basic-threat

      threat-detection statistics access-list

      no threat-detection statistics tcp-intercept

      ntp server 69.164.222.108 source outside

      ntp server 67.18.187.111 source outside

      ntp server 64.6.144.6 source outside

      ntp server 24.124.0.251 source outside

      ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip

      ssl trust-point ASDM_TrustPoint0 outside

      webvpn

      port 8443

      enable outside

      svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

      svc image disk0:/anyconnect-linux-2.4.1012-k9.pkg 2

      svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3

      svc image disk0:/anyconnect-macosx-powerpc-2.4.1012-k9.pkg 4

      svc profiles SSLClientProfile disk0:/AnyConnectProfile.tmpl

      svc enable

      tunnel-group-list enable

      group-policy SSLClientPolicy internal

      group-policy SSLClientPolicy attributes

      dns-server value 4.2.2.2 8.8.8.8

      vpn-tunnel-protocol IPSec l2tp-ipsec svc

      default-domain value MSHOME

      address-pools value SSLClientPool

      webvpn

        svc profiles value SSLClientProfile

      group-policy DfltGrpPolicy attributes

      split-tunnel-policy tunnelspecified

      split-tunnel-network-list value split_tunnel_list

      intercept-dhcp enable

      group-policy EZVPN_GP internal

      group-policy EZVPN_GP attributes

      split-tunnel-policy tunnelspecified

      nem enable

      webvpn

        svc profiles value SSLClientProfile

      username gogarnetvpnuser password sfsfsfsfsf encrypted

      username gogarnetvpnuser attributes

      service-type remote-access

      tunnel-group EZVPN_TG type remote-access

      tunnel-group EZVPN_TG general-attributes

      default-group-policy EZVPN_GP

      tunnel-group EZVPN_TG ipsec-attributes

      pre-shared-key somekeysfsf$4$

      tunnel-group SSLClientProfile type remote-access

      tunnel-group SSLClientProfile general-attributes

      default-group-policy SSLClientPolicy

      tunnel-group SSLClientProfile webvpn-attributes

      group-alias SSLVPNClient enable

      !

      class-map inspection_default

      match default-inspection-traffic

      !

      !

      policy-map type inspect dns preset_dns_map

      parameters

        message-length maximum client auto

        message-length maximum 512

      policy-map global_policy

      class inspection_default

        inspect dns preset_dns_map

        inspect ftp

        inspect h323 h225

        inspect h323 ras

        inspect rsh

        inspect rtsp

        inspect esmtp

        inspect sqlnet

        inspect skinny

        inspect sunrpc

        inspect xdmcp

        inspect sip

        inspect netbios

        inspect tftp

        inspect ip-options

      !

      service-policy global_policy global

      prompt hostname context

      call-home

      profile CiscoTAC-1

        no active

        destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

        destination address email callhome@cisco.com

        destination transport-method http

        subscribe-to-alert-group diagnostic

        subscribe-to-alert-group environment

        subscribe-to-alert-group inventory periodic monthly

        subscribe-to-alert-group configuration periodic monthly

        subscribe-to-alert-group telemetry periodic daily

      Cryptochecksum:001cc5012cfae32ea337c8d00113ed90

      : end

       


        • 1. Re: Connection denied due to NAT reverse path failure
          Paul Stewart  -  CCIE Security

          I always use the vpn pool from a different subnet.  I think this has something to do with the nonat configuration.  When it is in a different subnet, it is more clear cut.  So I would try one of the following:

           

          Option 1--

          change the ip pool

          ip local pool SSLClientPool 10.2.2.129-10.2.2.160 mask 255.255.255.0

          access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

          no access-list inside_nat0_outbound extended permit ip 10.1.1.128 255.255.255.192 10.1.1.0 255.255.255.0

           

          Or try creating a symmetric nat rule:

           

          access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0

          no access-list inside_nat0_outbound extended permit ip 10.1.1.128 255.255.255.192 10.1.1.0 255.255.255.0

           

          I'm not sure if option 2 will resolve it, but it certainly could.  In case 2 do a "clear xlate" prior to testing.  In option 1, disconnect and reconnect your vpn.

          • 2. Re: Connection denied due to NAT reverse path failure
            StevenB

            Thanks, Paul!

             

            I got it working with your first suggestion.  I changed the SSLClientPool to 10.2.2.1- 10.2.2.50 255.255.255.0 modified the access list accordingly.  However, I also had to add a NAT exeptions.  The relevant access lists and NAT rules are as follows:

             

             

            access-list split_tunnel_list remark local network behind ASA

            access-list split_tunnel_list standard permit 10.1.1.0 255.255.255.0

            access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0 10.1.                                                                                                                               1.0 255.255.255.0

            access-list inside_nat0_outbound_1 extended permit ip 10.1.1.0 255.255.255.0 10.                                                                                                                               2.2.0 255.255.255.0

            access-list outside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0 10.1                                                                                                                               .1.0 255.255.255.0

             

            ip local pool SSLClientPool 10.2.2.1-10.2.2.50 mask 255.255.255.0

             

            global (outside) 1 interface

            nat (inside) 0 access-list inside_nat0_outbound_1

            nat (inside) 1 0.0.0.0 0.0.0.0

            nat (outside) 0 access-list outside_nat0_outbound