https://community.cisco.com/t5/network-security/nat/m-p/2796266#M174346 <P>Hi Akash,</P> <P>It looks like you have only dynamic PAT in your NAT configuration for this particular IP. So the translation will be one directional only. So if you initate the traffic from outside to inside it will not hit any NAT but the reverse traffic will hit a dynamic PAT hence the incoming NAT and outgoing NAT are difference. So the firewall drops the packet.</P> <P>You can try to configure a static NAT for this specific traffic which should allow you for bidrectional NAT.</P> <P>Thanks,<BR />Shivapramod M<BR />Please remember to select a correct answer and rate helpful posts</P> Fri, 04 Dec 2015 04:18:12 GMT Shivapramod M 2015-12-04T04:18:12Z https://community.cisco.com/t5/network-security/nat/m-p/2796260#M174340 <P>can you tell me what is it mean and how can it get sorted out</P> <P></P> <P>Dec 03 2015 04:08:43 NJSE-CORP-ASA5585-1 : %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:166.77.235.144 dst inside:166.77.174.123 (type 8, code 0) denied due to NAT reverse path failure</P> Tue, 12 Mar 2019 06:59:08 GMT https://community.cisco.com/t5/network-security/nat/m-p/2796260#M174340 akash.deep 2019-03-12T06:59:08Z https://community.cisco.com/t5/network-security/nat/m-p/2796261#M174341 <P>Hi Akash,</P> <P></P> <P>Looks like different NAT rules are matching for forwardd and reverse path of traffic.</P> <P>You can run packet tracer and check which NAT rule is evaluated for forward and reverse path.</P> <P>Based on the packet tracer output and network requirement you can try to alter the definition or order of nat rule in &nbsp;your netowrk.</P> <P></P> <P>You can share the packet tracer output and nat configuration.</P> <P></P> <P>Thanks,</P> <P>Rishabh Seth</P> <P>Rate helpful posts.</P> Thu, 03 Dec 2015 09:46:55 GMT https://community.cisco.com/t5/network-security/nat/m-p/2796261#M174341 Rishabh Seth 2015-12-03T09:46:55Z https://community.cisco.com/t5/network-security/nat/m-p/2796262#M174342 <P>Post your NAT config and the output of "show nat"</P> Thu, 03 Dec 2015 12:37:26 GMT https://community.cisco.com/t5/network-security/nat/m-p/2796262#M174342 Andre Neethling 2015-12-03T12:37:26Z https://community.cisco.com/t5/network-security/nat/m-p/2796263#M174343 <P>please have a look of nat config</P> <P></P> <DIV class="field field-name-body field-type-text-with-summary field-label-hidden"> <DIV class="field-items"> <DIV class="field-item even"> <DIV> <DIV> <DIV> <P>I am having a issue to undertand the NATTING in ASA, below is the issue which i am having as of now.</P> <P>getting drop:- can you please go through it and let me know what can be the issue</P> <P>packet-tracer input outside tcp 166.77.235.144 2020 166.77.174.123 123<BR /><BR />Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 166.77.35.2 using egress ifc&nbsp; inside<BR /><BR />Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group acl-outside in interface outside<BR />access-list acl-outside extended permit ip host 166.77.235.144 host 166.77.174.123<BR />Additional Information:<BR /><BR />Phase: 3<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 4<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 5<BR />Type: FOVER<BR />Subtype: standby-update<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 6<BR />Type: VPN<BR />Subtype: ipsec-tunnel-flow<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 7<BR />Type: CONN-SETTINGS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />class-map RT881625<BR />&nbsp;match access-list rt881625-conns-acl<BR />policy-map RT881625-conns<BR />&nbsp;class RT881625<BR />&nbsp; set connection conn-max 0 embryonic-conn-max 0 random-sequence-number enable<BR />service-policy RT881625-conns interface inside<BR />Additional Information:<BR /><BR />Phase: 8<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: DROP<BR />Config:<BR />object network natobj-166.77.0.0-16<BR />&nbsp;nat (inside,outside) dynamic pat-pool natobj-default-natpool<BR />Additional Information:<BR /><BR />Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> <P>====================</P> <P>nat (inside,outside) source dynamic natobj-via-axciom natobj-axciom-natpool destination static natobj-axiom-nets natobj-axiom-nets<BR />nat (dmz-dot12,outside) source static natobj-src-166.77.12.0-22 natobj-src-166.77.12.0-22 destination static natobj-dst-a2m natobj-dst-a2m<BR />nat (dmz-dot12,outside) source dynamic natobj-src-166.77.12.0-22 natobj-global-nat destination static natobj-dst-hosting natobj-dst-hosting<BR />nat (dmz-dot9,outside) source dynamic natobj-src-166.77.9.0-24 natobj-global-nat destination static natobj-dst-hosting natobj-dst-hosting<BR />nat (outside,outside) source dynamic natobj-vpn-pool-uturn pat-pool natobj-default-natpool destination static natobj-dst-nets-uturn natobj-dst-nets-uturn<BR />nat (outside,outside) source static servicenow-natobj-src-nets-uturn servicenow-natobj-src-nets-uturn destination static servicenow-natobj-dst-nets-uturn servicenow-natobj-dst-nets-uturn<BR />nat (outside,outside) source static redspace-172.18.0.80 default-natpool-1 destination static wordpress-129.228.35.64 wordpress-129.228.35.64<BR />nat (outside,outside) source static redspace-172.18.0.80 default-natpool-1 destination static 129.228.0.0 129.228.0.0<BR />nat (inside,outside) source static any any destination static redspace-172.18.0.80 redspace-172.18.0.80<BR />nat (inside,outside) source dynamic natobj-src-oneoffs pat-pool natobj-global-oneoffs<BR />nat (inside,outside) source dynamic any pat-pool natobj-global-oneoffs destination static natobj-dst-oneoffs natobj-dst-oneoffs<BR />nat (outside,outside) source static VPN_Hairpin VPN_Hairpin destination static VPN_Hairpin VPN_Hairpin<BR />nat (inside,outside) source static natobj-src-tacacs natobj-src-tacacs destination static natobj-dst-tacas-devices natobj-dst-tacas-devices<BR />nat (inside,outside) source static singapore-dr-us singapore-dr-us destination static singapore-dr-asia singapore-dr-asia<BR />nat (dmz-dot12,outside) source static natobj-src-a2m natobj-src-a2m destination static natobj-dst-a2m natobj-dst-a2m route-lookup<BR />nat (inside,outside) source static natobj-src-local-nets natobj-src-local-nets destination static natobj-dst-vpn-lan-to-lan-new natobj-dst-vpn-lan-to-lan-new<BR />nat (dmz-dot8,outside) source static natobj-src-larsentoubro-local natobj-src-larsentoubro-local destination static natobj-dst-larsentoubro-remote natobj-dst-larsentoubro-remote<BR />nat (inside,outside) source static natobj-src-local-nets natobj-src-local-nets destination static natobj-dst-vpn-lan-to-lan natobj-dst-vpn-lan-to-lan<BR />nat (inside,outside) source static natobj-src-network-tools natobj-src-network-tools destination static natobj-dst-network-devices natobj-dst-network-devices<BR />nat (inside,outside) source static pp-cl1-10-6-0-0 pp-cl1-10-6-0-0 destination static pp-bet-172-20-20-0 pp-bet-172-20-20-0<BR />nat (inside,dmz-paramount) source static obj-1515-52fl-printers obj-1515-52fl-printers destination static obj-ppc-192-168-148-0 obj-ppc-192-168-148-0<BR />nat (inside,outside) source static obj-10-0-0-0-24 obj-10-0-0-0-24 destination static obj-no-nat-bet obj-no-nat-bet<BR />nat (inside,dmz-paramount) source static obj-no-nat-to-ppc obj-no-nat-to-ppc destination static obj-ppc-no-nat obj-ppc-no-nat<BR />nat (inside,outside) source static natobj-172.16.0.0-12 166.77.6.4 destination static SterlingASA SterlingASA<BR />nat (inside,dmz-paramount) source dynamic any interface<BR />nat (inside,outside) source static natobj-166.77.0.0-16 166.77.6.4 destination static SterlingASA SterlingASA<BR />nat (inside,outside) source static xbox-166.77.216.203 xbox-166.77.216.203<BR />nat (inside,outside) source static xbox-216-184 xbox-public-6-218<BR />nat (inside,outside) source dynamic any pat-pool nielsen-vpn-local destination static nielsen-vpn-remote nielsen-vpn-remote<BR />nat (inside,dmz-paramount) source static natobj-src-viacom-no-nat natobj-src-viacom-no-nat destination static natobj-dst-paramount-no-nat natobj-dst-paramount-no-nat<BR />nat (inside,outside) source static natobj-src-166.77.200.105 natobj-src-166.77.200.105 destination static 69.195.244.235 69.195.244.235<BR />nat (inside,outside) source static 166.77.200.57 166.77.200.57 destination static 69.195.244.235 69.195.244.235<BR />nat (inside,dmz-dot5) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks<BR />nat (inside,dmz-dot7) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks<BR />nat (inside,dmz-dot9) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks<BR />nat (inside,dmz-dot11) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks<BR />nat (inside,dmz-dot12) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks<BR />nat (inside,outside) source static 166.77.186.224 166.77.186.224 destination static 69.195.244.238 69.195.244.238<BR />nat (inside,outside) source static natobj-src-166.77.200.105 natobj-src-166.77.200.105 destination static 69.195.244.238 69.195.244.238<BR />nat (inside,outside) source static 166.77.199.147 166.77.199.147 destination static 172.20.90.0 172.20.90.0<BR />nat (inside,outside) source static 166.77.199.223 166.77.199.223 destination static 172.20.90.0 172.20.90.0<BR />nat (inside,outside) source static NATPOOL-166.77.35.128 NATPOOL-166.77.35.128 destination static 69.195.244.235 69.195.244.235<BR />nat (dmz-lb-dmz,outside) source static natobj-src-local-nets natobj-src-local-nets destination static natobj-dst-larsentoubro-remote natobj-dst-larsentoubro-remote<BR />nat (inside,outside) source static 10.40.122.20 10.40.122.20 destination static SterlingDECRU SterlingDECRU<BR />nat (inside,outside) source static 10.40.122.21 10.40.122.21 destination static SterlingDECRU SterlingDECRU<BR />nat (inside,outside) source dynamic any pat-pool natobj-global-bluejeans destination static GLB-bluejeans-nets GLB-bluejeans-nets<BR />nat (inside,outside) source static any any destination static NETWORK_OBJ_172.18.251.0_24 NETWORK_OBJ_172.18.251.0_24 no-proxy-arp route-lookup<BR />nat (inside,outside) source static natobj-src-local-nets natobj-src-local-nets destination static natobj-dst-aws-servers natobj-dst-aws-servers<BR />nat (inside,outside) source static Jenkins_Server Jenkins_Server destination static DMQA_Network DMQA_Network<BR />nat (outside,outside) source static redspace-172.18.0.80 default-natpool-1 destination static 129.228.31.145 129.228.31.145<BR />nat (inside,outside) source static VPN-Wireless_Pools-DMQA VPN-Wireless_Pools-DMQA destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static obj_166.77.185.13 obj_166.77.185.13 destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static obj_166.77.185.14 obj_166.77.185.14 destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static obj_166.77.185.15 obj_166.77.185.15 destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static obj_166.77.185.123 obj_166.77.185.123 destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static obj_166.77.185.124 obj_166.77.185.124 destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static obj_166.77.206.28 obj_166.77.206.28 destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static natobj-src-sap natobj-src-sap<BR />nat (inside,outside) source static natobj-src-sap natobj-src-sap destination static natobj-src-sap natobj-src-sap<BR />nat (inside,outside) source static obj_imailrelay-server obj_imailrelay-server destination static DMQA_Router DMQA_Router<BR />!<BR />object network natobj-172.18.3.0-25<BR />&nbsp;nat (dmz-corpvpn,outside) dynamic pat-pool natobj-default-natpool<BR />object network natobj-10.10.4.0-24<BR />&nbsp;nat (inside,outside) dynamic pat-pool natobj-default-natpool<BR />object network natobj-192.21.120.0-23<BR />&nbsp;nat (inside,outside) dynamic pat-pool natobj-default-natpool<BR />object network natobj-166.77.0.0-16</P> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Fri, 04 Dec 2015 02:09:37 GMT https://community.cisco.com/t5/network-security/nat/m-p/2796263#M174343 akash.deep 2015-12-04T02:09:37Z https://community.cisco.com/t5/network-security/nat/m-p/2796264#M174344 <DIV class="field field-name-body field-type-text-with-summary field-label-hidden"> <DIV class="field-items"> <DIV class="field-item even"> <DIV> <DIV> <DIV> <P>I am having a issue to undertand the NATTING in ASA, below is the issue which i am having as of now.</P> <P>getting drop:- can you please go through it and let me know what can be the issue</P> <P>packet-tracer input outside tcp 166.77.235.144 2020 166.77.174.123 123<BR /><BR />Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 166.77.35.2 using egress ifc&nbsp; inside<BR /><BR />Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group acl-outside in interface outside<BR />access-list acl-outside extended permit ip host 166.77.235.144 host 166.77.174.123<BR />Additional Information:<BR /><BR />Phase: 3<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 4<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 5<BR />Type: FOVER<BR />Subtype: standby-update<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 6<BR />Type: VPN<BR />Subtype: ipsec-tunnel-flow<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 7<BR />Type: CONN-SETTINGS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />class-map RT881625<BR />&nbsp;match access-list rt881625-conns-acl<BR />policy-map RT881625-conns<BR />&nbsp;class RT881625<BR />&nbsp; set connection conn-max 0 embryonic-conn-max 0 random-sequence-number enable<BR />service-policy RT881625-conns interface inside<BR />Additional Information:<BR /><BR />Phase: 8<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: DROP<BR />Config:<BR />object network natobj-166.77.0.0-16<BR />&nbsp;nat (inside,outside) dynamic pat-pool natobj-default-natpool<BR />Additional Information:<BR /><BR />Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> <P>====================</P> <P>nat (inside,outside) source dynamic natobj-via-axciom natobj-axciom-natpool destination static natobj-axiom-nets natobj-axiom-nets<BR />nat (dmz-dot12,outside) source static natobj-src-166.77.12.0-22 natobj-src-166.77.12.0-22 destination static natobj-dst-a2m natobj-dst-a2m<BR />nat (dmz-dot12,outside) source dynamic natobj-src-166.77.12.0-22 natobj-global-nat destination static natobj-dst-hosting natobj-dst-hosting<BR />nat (dmz-dot9,outside) source dynamic natobj-src-166.77.9.0-24 natobj-global-nat destination static natobj-dst-hosting natobj-dst-hosting<BR />nat (outside,outside) source dynamic natobj-vpn-pool-uturn pat-pool natobj-default-natpool destination static natobj-dst-nets-uturn natobj-dst-nets-uturn<BR />nat (outside,outside) source static servicenow-natobj-src-nets-uturn servicenow-natobj-src-nets-uturn destination static servicenow-natobj-dst-nets-uturn servicenow-natobj-dst-nets-uturn<BR />nat (outside,outside) source static redspace-172.18.0.80 default-natpool-1 destination static wordpress-129.228.35.64 wordpress-129.228.35.64<BR />nat (outside,outside) source static redspace-172.18.0.80 default-natpool-1 destination static 129.228.0.0 129.228.0.0<BR />nat (inside,outside) source static any any destination static redspace-172.18.0.80 redspace-172.18.0.80<BR />nat (inside,outside) source dynamic natobj-src-oneoffs pat-pool natobj-global-oneoffs<BR />nat (inside,outside) source dynamic any pat-pool natobj-global-oneoffs destination static natobj-dst-oneoffs natobj-dst-oneoffs<BR />nat (outside,outside) source static VPN_Hairpin VPN_Hairpin destination static VPN_Hairpin VPN_Hairpin<BR />nat (inside,outside) source static natobj-src-tacacs natobj-src-tacacs destination static natobj-dst-tacas-devices natobj-dst-tacas-devices<BR />nat (inside,outside) source static singapore-dr-us singapore-dr-us destination static singapore-dr-asia singapore-dr-asia<BR />nat (dmz-dot12,outside) source static natobj-src-a2m natobj-src-a2m destination static natobj-dst-a2m natobj-dst-a2m route-lookup<BR />nat (inside,outside) source static natobj-src-local-nets natobj-src-local-nets destination static natobj-dst-vpn-lan-to-lan-new natobj-dst-vpn-lan-to-lan-new<BR />nat (dmz-dot8,outside) source static natobj-src-larsentoubro-local natobj-src-larsentoubro-local destination static natobj-dst-larsentoubro-remote natobj-dst-larsentoubro-remote<BR />nat (inside,outside) source static natobj-src-local-nets natobj-src-local-nets destination static natobj-dst-vpn-lan-to-lan natobj-dst-vpn-lan-to-lan<BR />nat (inside,outside) source static natobj-src-network-tools natobj-src-network-tools destination static natobj-dst-network-devices natobj-dst-network-devices<BR />nat (inside,outside) source static pp-cl1-10-6-0-0 pp-cl1-10-6-0-0 destination static pp-bet-172-20-20-0 pp-bet-172-20-20-0<BR />nat (inside,dmz-paramount) source static obj-1515-52fl-printers obj-1515-52fl-printers destination static obj-ppc-192-168-148-0 obj-ppc-192-168-148-0<BR />nat (inside,outside) source static obj-10-0-0-0-24 obj-10-0-0-0-24 destination static obj-no-nat-bet obj-no-nat-bet<BR />nat (inside,dmz-paramount) source static obj-no-nat-to-ppc obj-no-nat-to-ppc destination static obj-ppc-no-nat obj-ppc-no-nat<BR />nat (inside,outside) source static natobj-172.16.0.0-12 166.77.6.4 destination static SterlingASA SterlingASA<BR />nat (inside,dmz-paramount) source dynamic any interface<BR />nat (inside,outside) source static natobj-166.77.0.0-16 166.77.6.4 destination static SterlingASA SterlingASA<BR />nat (inside,outside) source static xbox-166.77.216.203 xbox-166.77.216.203<BR />nat (inside,outside) source static xbox-216-184 xbox-public-6-218<BR />nat (inside,outside) source dynamic any pat-pool nielsen-vpn-local destination static nielsen-vpn-remote nielsen-vpn-remote<BR />nat (inside,dmz-paramount) source static natobj-src-viacom-no-nat natobj-src-viacom-no-nat destination static natobj-dst-paramount-no-nat natobj-dst-paramount-no-nat<BR />nat (inside,outside) source static natobj-src-166.77.200.105 natobj-src-166.77.200.105 destination static 69.195.244.235 69.195.244.235<BR />nat (inside,outside) source static 166.77.200.57 166.77.200.57 destination static 69.195.244.235 69.195.244.235<BR />nat (inside,dmz-dot5) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks<BR />nat (inside,dmz-dot7) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks<BR />nat (inside,dmz-dot9) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks<BR />nat (inside,dmz-dot11) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks<BR />nat (inside,dmz-dot12) source static RFC-1918-Addresses RFC-1918-Addresses destination static DMZ-Networks DMZ-Networks<BR />nat (inside,outside) source static 166.77.186.224 166.77.186.224 destination static 69.195.244.238 69.195.244.238<BR />nat (inside,outside) source static natobj-src-166.77.200.105 natobj-src-166.77.200.105 destination static 69.195.244.238 69.195.244.238<BR />nat (inside,outside) source static 166.77.199.147 166.77.199.147 destination static 172.20.90.0 172.20.90.0<BR />nat (inside,outside) source static 166.77.199.223 166.77.199.223 destination static 172.20.90.0 172.20.90.0<BR />nat (inside,outside) source static NATPOOL-166.77.35.128 NATPOOL-166.77.35.128 destination static 69.195.244.235 69.195.244.235<BR />nat (dmz-lb-dmz,outside) source static natobj-src-local-nets natobj-src-local-nets destination static natobj-dst-larsentoubro-remote natobj-dst-larsentoubro-remote<BR />nat (inside,outside) source static 10.40.122.20 10.40.122.20 destination static SterlingDECRU SterlingDECRU<BR />nat (inside,outside) source static 10.40.122.21 10.40.122.21 destination static SterlingDECRU SterlingDECRU<BR />nat (inside,outside) source dynamic any pat-pool natobj-global-bluejeans destination static GLB-bluejeans-nets GLB-bluejeans-nets<BR />nat (inside,outside) source static any any destination static NETWORK_OBJ_172.18.251.0_24 NETWORK_OBJ_172.18.251.0_24 no-proxy-arp route-lookup<BR />nat (inside,outside) source static natobj-src-local-nets natobj-src-local-nets destination static natobj-dst-aws-servers natobj-dst-aws-servers<BR />nat (inside,outside) source static Jenkins_Server Jenkins_Server destination static DMQA_Network DMQA_Network<BR />nat (outside,outside) source static redspace-172.18.0.80 default-natpool-1 destination static 129.228.31.145 129.228.31.145<BR />nat (inside,outside) source static VPN-Wireless_Pools-DMQA VPN-Wireless_Pools-DMQA destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static obj_166.77.185.13 obj_166.77.185.13 destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static obj_166.77.185.14 obj_166.77.185.14 destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static obj_166.77.185.15 obj_166.77.185.15 destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static obj_166.77.185.123 obj_166.77.185.123 destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static obj_166.77.185.124 obj_166.77.185.124 destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static obj_166.77.206.28 obj_166.77.206.28 destination static DMQA_Router DMQA_Router<BR />nat (inside,outside) source static natobj-src-sap natobj-src-sap<BR />nat (inside,outside) source static natobj-src-sap natobj-src-sap destination static natobj-src-sap natobj-src-sap<BR />nat (inside,outside) source static obj_imailrelay-server obj_imailrelay-server destination static DMQA_Router DMQA_Router<BR />!<BR />object network natobj-172.18.3.0-25<BR />&nbsp;nat (dmz-corpvpn,outside) dynamic pat-pool natobj-default-natpool<BR />object network natobj-10.10.4.0-24<BR />&nbsp;nat (inside,outside) dynamic pat-pool natobj-default-natpool<BR />object network natobj-192.21.120.0-23<BR />&nbsp;nat (inside,outside) dynamic pat-pool natobj-default-natpool<BR />object network natobj-166.77.0.0-16</P> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Fri, 04 Dec 2015 02:09:59 GMT https://community.cisco.com/t5/network-security/nat/m-p/2796264#M174344 akash.deep 2015-12-04T02:09:59Z https://community.cisco.com/t5/network-security/nat/m-p/2796265#M174345 <P>Can you please post the output of "show nat"</P> Fri, 04 Dec 2015 04:16:03 GMT https://community.cisco.com/t5/network-security/nat/m-p/2796265#M174345 Andre Neethling 2015-12-04T04:16:03Z https://community.cisco.com/t5/network-security/nat/m-p/2796266#M174346 <P>Hi Akash,</P> <P>It looks like you have only dynamic PAT in your NAT configuration for this particular IP. So the translation will be one directional only. So if you initate the traffic from outside to inside it will not hit any NAT but the reverse traffic will hit a dynamic PAT hence the incoming NAT and outgoing NAT are difference. So the firewall drops the packet.</P> <P>You can try to configure a static NAT for this specific traffic which should allow you for bidrectional NAT.</P> <P>Thanks,<BR />Shivapramod M<BR />Please remember to select a correct answer and rate helpful posts</P> Fri, 04 Dec 2015 04:18:12 GMT https://community.cisco.com/t5/network-security/nat/m-p/2796266#M174346 Shivapramod M 2015-12-04T04:18:12Z https://community.cisco.com/t5/network-security/nat/m-p/2796267#M174347 <P>acket-tracer input outside tcp 166.77.235.144 2020 166.77.174.123 123<BR /><BR />Phase: 1<BR />Type: ROUTE-LOOKUP<BR />Subtype: Resolve Egress Interface<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />found next-hop 166.77.35.2 using egress ifc&nbsp; inside<BR /><BR />Phase: 2<BR />Type: ACCESS-LIST<BR />Subtype: log<BR />Result: ALLOW<BR />Config:<BR />access-group acl-outside in interface outside<BR />access-list acl-outside extended permit ip host 166.77.235.144 host 166.77.174.123<BR />Additional Information:<BR /><BR />Phase: 3<BR />Type: NAT<BR />Subtype: per-session<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 4<BR />Type: IP-OPTIONS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 5<BR />Type: FOVER<BR />Subtype: standby-update<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 6<BR />Type: VPN<BR />Subtype: ipsec-tunnel-flow<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR /><BR />Phase: 7<BR />Type: CONN-SETTINGS<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />class-map RT881625<BR />&nbsp;match access-list rt881625-conns-acl<BR />policy-map RT881625-conns<BR />&nbsp;class RT881625<BR />&nbsp; set connection conn-max 0 embryonic-conn-max 0 random-sequence-number enable<BR />service-policy RT881625-conns interface inside<BR />Additional Information:<BR /><BR />Phase: 8<BR />Type: NAT<BR />Subtype: rpf-check<BR />Result: DROP<BR />Config:<BR />object network natobj-166.77.0.0-16<BR />&nbsp;nat (inside,outside) dynamic pat-pool natobj-default-natpool<BR />Additional Information:<BR /><BR />Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> Fri, 04 Dec 2015 04:22:47 GMT https://community.cisco.com/t5/network-security/nat/m-p/2796267#M174347 akash.deep 2015-12-04T04:22:47Z https://community.cisco.com/t5/network-security/nat/m-p/2796268#M174348 <P>his NAT rule below, as per your packet tracer output is matching your traffic from inside to outside.</P> <P><STRONG></STRONG><STRONG>object network natobj-166.77.0.0-16<BR />&nbsp;nat (inside,outside) dynamic pat-pool natobj-default-natpool</STRONG></P> <P>This could be your issue.</P> Fri, 04 Dec 2015 04:30:32 GMT https://community.cisco.com/t5/network-security/nat/m-p/2796268#M174348 Andre Neethling 2015-12-04T04:30:32Z https://community.cisco.com/t5/network-security/nat/m-p/2796269#M174349 <P>you mena if i can use the identify nat it should work like as below</P> <P></P> <P>nat (inside,outside) source static 166.77.174.123 166.77.174.123</P> Fri, 04 Dec 2015 06:52:27 GMT https://community.cisco.com/t5/network-security/nat/m-p/2796269#M174349 akash.deep 2015-12-04T06:52:27Z https://community.cisco.com/t5/network-security/nat/m-p/2796270#M174350 <P>Hi Akash,</P> <P></P> <P>Yes you can try nat exemption or you can configure a static nat with a mpped ip and the real IP as&nbsp;<SPAN>166.77.174.123. This should resolve the issue.</SPAN></P> <P><SPAN></SPAN>sample config:</P> <P>object network obj-test<BR /> host 166.77.174.123</P> <P>nat (inside,outside) source static obj-test obj-test</P> <P><SPAN></SPAN></P> <P><SPAN>Thanks,<BR />Shivapramod M<BR />Please remember to select a correct answer and rate helpful posts</SPAN></P> Fri, 04 Dec 2015 07:03:22 GMT https://community.cisco.com/t5/network-security/nat/m-p/2796270#M174350 Shivapramod M 2015-12-04T07:03:22Z