ASA Asymmetric NAT

We had a normal AnyConnect VPN configured and everyone could get to the inside resources. We then put an application in the DMZ and some vendors needed access to it. When we tried to hit one of the servers we got the following error.

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.200.80.143/55759 dst DMZ:10.8.1.101/3389 denied due to NAT reverse path failure

Looking up the logging error on Cisco provided a little bit of info and scouring the net did too, but no clear definitive “fix”. Thinking about what it was doing and reviewing the NAT rules I was pretty sure I  knew what was happening. Traffic was getting NAT’d out of the DMZ. We certainly didn’t want that. I create a NAT0 entry (I’m running 8.2.5 on this particular firewall) and that fixed it.

VPN assigned addresses: 10.200.80.0 /24
DMZ address space: 10.8.1.0 /24

Commands to resolve:

ASA-VPN-FW(config)# access-list DMZ_ACCESS_FROM_VPN permit ip 10.8.1.0 255.255.255.0 10.200.80.0 255.255.255.255
ASA-VPN-FW(config)#  nat (DMZ) 0 access-list DMZ_ACCESS_FROM_VPN

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.