ASA Asymmetric NAT

We had a normal AnyConnect VPN configured and everyone could get to the inside resources. We then put an application in the DMZ and some vendors needed access to it. When we tried to hit one of the servers we got the following error.

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.200.80.143/55759 dst DMZ:10.8.1.101/3389 denied due to NAT reverse path failure

Looking up the logging error on Cisco provided a little bit of info and scouring the net did too, but no clear definitive “fix”. Thinking about what it was doing and reviewing the NAT rules I was pretty sure I  knew what was happening. Traffic was getting NAT’d out of the DMZ. We certainly didn’t want that. I create a NAT0 entry (I’m running 8.2.5 on this particular firewall) and that fixed it.

VPN assigned addresses: 10.200.80.0 /24
DMZ address space: 10.8.1.0 /24

Commands to resolve:

ASA-VPN-FW(config)# access-list DMZ_ACCESS_FROM_VPN permit ip 10.8.1.0 255.255.255.0 10.200.80.0 255.255.255.255
ASA-VPN-FW(config)#  nat (DMZ) 0 access-list DMZ_ACCESS_FROM_VPN

51 Comments on “ASA Asymmetric NAT”

  1. Pingback: track 2 dumps
  2. Pingback: Junk Removal DC
  3. Pingback: sex toy kits
  4. Pingback: agen qq
  5. Pingback: thrusting toy
  6. Pingback: top 5 vibrators
  7. Pingback: united assemblers
  8. Pingback: סקס
  9. Pingback: Wonenmetstijl.nl
  10. Pingback: pankreatalgija
  11. Pingback: Brazzers mom
  12. Pingback: otvaracie hodiny
  13. Pingback: coupon codes
  14. Pingback: vibrating wands
  15. Pingback: google seo
  16. Pingback: hollywood
  17. Pingback: jimmy choo
  18. Pingback: lego city 60110
  19. Pingback: dolce and gabbana
  20. Pingback: beast tv
  21. Pingback: numero de voyance
  22. Pingback: apk downloader
  23. Pingback: dildo
  24. Pingback: Dr Kassabian
  25. Pingback: 2019
  26. Pingback: burberry
  27. Pingback: gucci
  28. Pingback: Vrije tijd
  29. Pingback: versace
  30. Pingback: namntavkor

Leave a Reply