|
The topology is shown in the figure above
The establishment of IPSec VPN through asa505 is successful
1. You can dial in the VPN remotely and get the VPN pool address 192.168.3.10/24
2. The server IP behind the firewall gets 192.168.3.100/24 from DHCP
3. Now in order to let the server access the Internet, NAT: 192.168.3.0/24 is mapped to the WAN port in ASA, so that the server can access the Internet normally.
show nat interface inside detail
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic Server interface
translate_ hits = 547, untranslate_ hits = 256
Source - Origin: 192.168.3.0/24, Translated: 125.*.*.*/32
The problem is: before NAT, VPN client 192.168.3.10 can ping server 192.168.3.100
&After finishing NAT, you can‘t Ping......
Firewall log shows:Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.3.12 dst inside:192.168.3.101 denied due to NAT reverse path failure
You need to let the intranet server access the Internet, and then you can ping each other after VPN dial in
Please master guidance, thank you!!!!!!!!!!!!!!!!!!!!!! |
|