https://community.cisco.com/t5/network-security/cisco-asa-5510-denied-due-to-nat-reverse-path-failure/m-p/3022677#M145067 <P>access-list Inside-Access-In extended permit ip object WAPAY01_Payrol_Server any log </P> <P>access-list Outside-R1-In extended permit object-group DM_INLINE_SERVICE_6 any object WAPAY01_Payrol_Server log</P> <P></P> <P>access-list DMZ-Public-In extended permit object-group DM_INLINE_SERVICE_3 object WAPAY01_Payrol_Server any log inactive &nbsp;(this is not in use)</P> <P><BR />NAT<BR />object network WAPAY01_Payrol_Server <BR /> nat (Inside,Outside-R1) static 82.*.*.* &nbsp;( I have taken out the public IP address)</P> <P></P> <P>Hope this helps, also please see screenshot&nbsp;</P> <P></P> <P></P> Thu, 13 Apr 2017 08:02:48 GMT ketansoni1 2017-04-13T08:02:48Z https://community.cisco.com/t5/network-security/cisco-asa-5510-denied-due-to-nat-reverse-path-failure/m-p/3022673#M145050 <PRE class="prettyprint"><SPAN class="pEM_ErrMsg"></SPAN></PRE> <H6 class="pEE_ErrExp">Hi All,</H6> <H6 class="pEE_ErrExp">Would you be able to shed some light on the below error message? &nbsp;If you could look at the screenshot attached, it will show you the current setup. I have set this up using the ASDM, the packet is being denied when going from:&nbsp;</H6> <H6><STRONG>Outside R1 to DMZ 192.168.*.* using TCP port 443 / 80</STRONG></H6> <PRE class="prettyprint"><A name="wp6175477" target="_blank"></A> <SPAN class="pEM_ErrMsg">%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection <EM class="cEmphasis">protocol</EM> src <EM class="cEmphasis">interface_name</EM>:<EM class="cEmphasis">source_address</EM>/<EM class="cEmphasis">source_port </EM>[(<EM class="cEmphasis">idfw_user</EM>)] dst <EM class="cEmphasis">interface_name</EM>:<EM class="cEmphasis">dst_address</EM>/<EM class="cEmphasis">dst_port </EM>[(<EM class="cEmphasis">idfw_user</EM>)] denied due to NAT reverse path failure.</SPAN></PRE> <H6 class="pEE_ErrExp">An attempt to connect to a mapped host using its actual address was rejected.<BR /><BR /><STRONG>The recommend action states:<BR /></STRONG>When not on the same interface as the host using NAT, use the mapped address instead of the actual address to connect to the host. In addition, enable the <B class="cBold">inspect</B> command if the application embeds the IP address.<BR /><BR />Thanks</H6> <P></P> <P></P> <P></P> <P></P> <H6 class="pEE_ErrExp"></H6> <P></P> <P class="pEE_ErrExp"></P> Tue, 12 Mar 2019 09:12:43 GMT https://community.cisco.com/t5/network-security/cisco-asa-5510-denied-due-to-nat-reverse-path-failure/m-p/3022673#M145050 ketansoni1 2019-03-12T09:12:43Z https://community.cisco.com/t5/network-security/cisco-asa-5510-denied-due-to-nat-reverse-path-failure/m-p/3022674#M145064 <P>From what I can see on the screen shot, your NAT rule is referncing "any,outside" while the server resides in the DMZ.</P> <P>The NAT rule would normally created referencing &nbsp;"dmz,outside".</P> Wed, 12 Apr 2017 10:43:03 GMT https://community.cisco.com/t5/network-security/cisco-asa-5510-denied-due-to-nat-reverse-path-failure/m-p/3022674#M145064 Marvin Rhoads 2017-04-12T10:43:03Z https://community.cisco.com/t5/network-security/cisco-asa-5510-denied-due-to-nat-reverse-path-failure/m-p/3022675#M145065 <P>Thank you for the quick reply, unfortunately this did not work.</P> <P></P> <P>I have changed the server from being in the DMZ to Inside to no joy, whilst leaving the NAT rules as they were.</P> <P></P> <P>Also changed the NAT rules to dmz public to outside - with no joy, please see attached png</P> Wed, 12 Apr 2017 13:36:04 GMT https://community.cisco.com/t5/network-security/cisco-asa-5510-denied-due-to-nat-reverse-path-failure/m-p/3022675#M145065 ketansoni1 2017-04-12T13:36:04Z https://community.cisco.com/t5/network-security/cisco-asa-5510-denied-due-to-nat-reverse-path-failure/m-p/3022676#M145066 <P>Hi,</P> <P></P> <P>Could you please share a show run access-list of the acl that is placed in the outside and a show run nat?&nbsp;</P> <P></P> <P>Best regards,</P> Thu, 13 Apr 2017 01:10:35 GMT https://community.cisco.com/t5/network-security/cisco-asa-5510-denied-due-to-nat-reverse-path-failure/m-p/3022676#M145066 Kornelia Gutierrez 2017-04-13T01:10:35Z https://community.cisco.com/t5/network-security/cisco-asa-5510-denied-due-to-nat-reverse-path-failure/m-p/3022677#M145067 <P>access-list Inside-Access-In extended permit ip object WAPAY01_Payrol_Server any log </P> <P>access-list Outside-R1-In extended permit object-group DM_INLINE_SERVICE_6 any object WAPAY01_Payrol_Server log</P> <P></P> <P>access-list DMZ-Public-In extended permit object-group DM_INLINE_SERVICE_3 object WAPAY01_Payrol_Server any log inactive &nbsp;(this is not in use)</P> <P><BR />NAT<BR />object network WAPAY01_Payrol_Server <BR /> nat (Inside,Outside-R1) static 82.*.*.* &nbsp;( I have taken out the public IP address)</P> <P></P> <P>Hope this helps, also please see screenshot&nbsp;</P> <P></P> <P></P> Thu, 13 Apr 2017 08:02:48 GMT https://community.cisco.com/t5/network-security/cisco-asa-5510-denied-due-to-nat-reverse-path-failure/m-p/3022677#M145067 ketansoni1 2017-04-13T08:02:48Z https://community.cisco.com/t5/network-security/cisco-asa-5510-denied-due-to-nat-reverse-path-failure/m-p/3022678#M145070 <P>Is your WAPAY01 server on the inside or DMZ subnet?&nbsp;You&nbsp;mention both at various points.&nbsp;I<SPAN>s it multi-homed?</SPAN></P> Fri, 14 Apr 2017 07:32:57 GMT https://community.cisco.com/t5/network-security/cisco-asa-5510-denied-due-to-nat-reverse-path-failure/m-p/3022678#M145070 Marvin Rhoads 2017-04-14T07:32:57Z https://community.cisco.com/t5/network-security/cisco-asa-5510-denied-due-to-nat-reverse-path-failure/m-p/3022679#M145072 <P>It is only on the inside interface. No longer sitting within the DMZ subnet</P> Tue, 18 Apr 2017 07:54:03 GMT https://community.cisco.com/t5/network-security/cisco-asa-5510-denied-due-to-nat-reverse-path-failure/m-p/3022679#M145072 ketansoni1 2017-04-18T07:54:03Z