https://community.cisco.com/t5/network-security/nat-question/m-p/2979495#M149439 <P>we have ASA running 9.6(1).&nbsp;</P> <P></P> <P>the firewall has an outside interface and an inside interface.&nbsp;</P> <P></P> <P>- we manage the servers that are on the inside interface from terminal servers that are from the outside interface.&nbsp;</P> <P></P> <P>- when I add a nat statement =&nbsp;<BR />nat (inside,outside) after-auto source dynamic any interface</P> <P></P> <P>- I can no longer manage the devices on the inside of the firewall from the outside.&nbsp;</P> <P></P> <P>the logs show as follows:</P> <P>Oct 06 2016 11:54:21: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:216.x.x.x dst inside:10.x.x.x (type 8, code 0) denied due to NAT reverse path failure</P> <P></P> <P>any info would be great. Thanks.</P> <P></P> Tue, 12 Mar 2019 08:21:46 GMT christianstp1 2019-03-12T08:21:46Z https://community.cisco.com/t5/network-security/nat-question/m-p/2979495#M149439 <P>we have ASA running 9.6(1).&nbsp;</P> <P></P> <P>the firewall has an outside interface and an inside interface.&nbsp;</P> <P></P> <P>- we manage the servers that are on the inside interface from terminal servers that are from the outside interface.&nbsp;</P> <P></P> <P>- when I add a nat statement =&nbsp;<BR />nat (inside,outside) after-auto source dynamic any interface</P> <P></P> <P>- I can no longer manage the devices on the inside of the firewall from the outside.&nbsp;</P> <P></P> <P>the logs show as follows:</P> <P>Oct 06 2016 11:54:21: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:216.x.x.x dst inside:10.x.x.x (type 8, code 0) denied due to NAT reverse path failure</P> <P></P> <P>any info would be great. Thanks.</P> <P></P> Tue, 12 Mar 2019 08:21:46 GMT https://community.cisco.com/t5/network-security/nat-question/m-p/2979495#M149439 christianstp1 2019-03-12T08:21:46Z https://community.cisco.com/t5/network-security/nat-question/m-p/2979496#M149440 <P>This issue is because packet getting NAT for internal IPs so you have to configure nonat as below</P> <P></P> <P>object-group network Internal-Server</P> <P>&nbsp;&nbsp;host&nbsp; x.x.x.x &nbsp;(se<SPAN>rver IPs that are on the inside interface)</SPAN></P> <P><SPAN>!</SPAN></P> <P>object-group network Terminal-Server</P> <P>&nbsp;&nbsp;host &nbsp;10.x.x.x &nbsp;(<SPAN>terminal </SPAN>se<SPAN>rver IPs that are on the outside&nbsp;interface)</SPAN></P> <P><SPAN>!</SPAN></P> <P><SPAN>nat (inside,outside) 1 source static&nbsp;Internal-<SPAN>Server&nbsp;Internal-<SPAN>Server destination static&nbsp;Terminal-<SPAN>Server&nbsp;Terminal-<SPAN>Server</SPAN></SPAN></SPAN></SPAN></SPAN></P> <P><SPAN></SPAN></P> <P></P> Fri, 07 Oct 2016 04:48:40 GMT https://community.cisco.com/t5/network-security/nat-question/m-p/2979496#M149440 Pawan Raut 2016-10-07T04:48:40Z https://community.cisco.com/t5/network-security/nat-question/m-p/2979497#M149441 <P>Thanks that worked.</P> Fri, 07 Oct 2016 12:07:24 GMT https://community.cisco.com/t5/network-security/nat-question/m-p/2979497#M149441 christianstp1 2016-10-07T12:07:24Z https://community.cisco.com/t5/network-security/nat-question/m-p/2979498#M149442 <P>You are always welcome</P> Fri, 07 Oct 2016 12:10:34 GMT https://community.cisco.com/t5/network-security/nat-question/m-p/2979498#M149442 Pawan Raut 2016-10-07T12:10:34Z