I was recently asked by a friend to help out with a config for a cisco ASA 5505. An additional network and VLAN had been added on the ASA 5505 and we needed anyconnect VPN users to be able to access devices on that new network. I’m used to working with checkpoint firewalls, but most firewalls function in a similar fashion. I first logged onto the ASA using the ASDM gui. I checked the firewall rules and access looked to be permitted between the vpn network and the new network. I was a little stumped because it seemed that I needed a little more than just a firewall rule to allow both networks to communicate. I then consoled into the ASA and looked at the routing table. All looked good there. The ASA management interface was able to communicate with devices on both networks, so something else was missing. I then looked at the log files in the ASDM gui and was receiving the following message when trying to rdp into a server after connecting to the VPN:
Asymmetric NAT rules matched for forward and reverse denied due to NAT reverse path failure. An attempt to connect to a mapped host using its actual address was rejected.
I searched cisco for a solution and found a few vague possible solutions. I then pinged Network guru Shane to see if he could point me in the right direction. He hinted that I might have needed a “no nat statement”. Bingo, that worked. Here’s the command that I needed:
Nat(vlan1) 0 access-list vlan1_nat0_outbound
In the ASDM gui, its called a nat exempt statement. This rule makes sure that the internal traffic from the new network going to the VPN network would not get nat’d on its way out.
Since then, I opened up my safari books account back up for $9.99 a month which includes 5 book slots a month. The first thing I checked out was a Cisco Press ASA book. Safari books is a great resource for low cost e-learning. I highly recommend you give it a try. They don’t really advertise the $9.99 subscription, but if you sign up for a free trial, you can still choose the $9.99 pricing. I’m not 100 percent sure if they are still offering this to new users, but its worth checking out. As a network administrator, its important to know the fundamentals. Don’t get stuck in the, “I only know cisco or juniper” mode. If you know the fundamentals, then learning a new syntax and a few different config parameters is not the end of the world. After all you don’t want to limit yourself by putting a vendor name in front of your title, i.e. Cisco Network Administrator or Brocade Network Administrator. Be (emphasis added) the “Network Administrator”.