ASA Asymmetric NAT

We had a normal AnyConnect VPN configured and everyone could get to the inside resources. We then put an application in the DMZ and some vendors needed access to it. When we tried to hit one of the servers we got the following error.

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.200.80.143/55759 dst DMZ:10.8.1.101/3389 denied due to NAT reverse path failure

Looking up the logging error on Cisco provided a little bit of info and scouring the net did too, but no clear definitive “fix”. Thinking about what it was doing and reviewing the NAT rules I was pretty sure I  knew what was happening. Traffic was getting NAT’d out of the DMZ. We certainly didn’t want that. I create a NAT0 entry (I’m running 8.2.5 on this particular firewall) and that fixed it.

VPN assigned addresses: 10.200.80.0 /24
DMZ address space: 10.8.1.0 /24

Commands to resolve:

ASA-VPN-FW(config)# access-list DMZ_ACCESS_FROM_VPN permit ip 10.8.1.0 255.255.255.0 10.200.80.0 255.255.255.255
ASA-VPN-FW(config)#  nat (DMZ) 0 access-list DMZ_ACCESS_FROM_VPN

3 Comments on “ASA Asymmetric NAT”

  1. Elsa says:

    SUPERB Post.thanks for share..more delay.

  2. Beulah says:

    Great post. I ‘m confronting a couple of these issues.

  3. Aracely says:

    I was waiting for this type of issue. Thank you very much for the place.

Leave a Reply

Your email address will not be published. Required fields are marked *