https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089378#M392580 <HTML><HEAD></HEAD><BODY><P>Yes, that is the correct way to do it. Spot on..</P></BODY></HTML> Sat, 19 Jan 2013 14:01:56 GMT Jennifer Halim 2013-01-19T14:01:56Z https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089370#M392547 <P>Hi all,</P><P></P><P>I've got what is probably a very basic question - but i can't figure it out.</P><P></P><P>I have:</P><P></P><P>Internet (ADSL) -&gt; 2851 (ADSL wic) -&gt; 5520 -&gt; internal LAN (192.168.1.x/24)</P><P></P><P>The asa has just replaced a Checkpoint firewall.</P><P></P><P>I've set up the ASA to the point where all hosts on the internal LAN have internet access (using a dynamic PAT on that network).&nbsp; This all works well.</P><P></P><P>The problem i have is i am trying to allow access from the internet to an internal host on a specifc TCP port (as i had done on the Checkpoint) but i'm getting:</P><P></P><P>Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:111.111.111.11/52135 dst inside:192.168.1.252/5555 denied due to NAT reverse path failure</P><P></P><P>From what i have read i need to add a NAT exemption for this particular use case - to avoid the dynamic NAT i have setup, but im not sure how to do so.</P><P></P><P>I'm running 9.1 on the ASA, no VPNs yet.&nbsp; Just this basic setup.</P><P></P><P>Could someone help me out?</P><P></P><P>Cheers,</P><P></P><P>Scotty</P> Tue, 12 Mar 2019 00:49:08 GMT https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089370#M392547 mrskater99 2019-03-12T00:49:08Z https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089371#M392554 <HTML><HEAD></HEAD><BODY><P>Have you "clear xlate" after the changes or addition to the new static rule that you have configured?</P><P>Also, can you share what you have configured for both the dynamic and the static NAT.</P><P></P><P>Thanks.</P></BODY></HTML> Sat, 19 Jan 2013 07:42:27 GMT https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089371#M392554 Jennifer Halim 2013-01-19T07:42:27Z https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089372#M392559 <HTML><HEAD></HEAD><BODY><P>Hi Jennifer,</P><P></P><P>The ASA only contains the single dynamic NAT:</P><P></P><P>nat (inside,outside) dynamic interface</P><P></P><P>The static NAT is on the 2851 in front of the ASA (on the outside interface):</P><P></P><P>ip nat inside source static tcp 192.168.1.252 5555 interface Dialer1 5555</P><P></P><P></P><P>I'm not sure what the NATexemption on the ASA should look like to make this work.</P><P></P><P>Cheers,</P><P></P><P>Scotty</P></BODY></HTML> Sat, 19 Jan 2013 08:27:05 GMT https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089372#M392559 mrskater99 2013-01-19T08:27:05Z https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089373#M392562 <HTML><HEAD></HEAD><BODY><P>ahhh, yes, you would need nat exemption on the ASA and also the router should have route for 192.168.1.252 pointing towards the ASA outside interface IP.</P><P></P><P>The NAT exemption will be as follows:</P><P></P><P>object network obj-192.168.1.252</P><P>&nbsp;&nbsp; host 192.168.1.252</P><P>nat (inside,outside) source static obj-192.168.1.252 obj-192.168.1.252</P><P></P><P>Then "clear xlate"</P><P></P><P>Hope that helps.</P></BODY></HTML> Sat, 19 Jan 2013 08:40:53 GMT https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089373#M392562 Jennifer Halim 2013-01-19T08:40:53Z https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089374#M392567 <HTML><HEAD></HEAD><BODY><P>Thanks so much!&nbsp; Works perfectly!</P></BODY></HTML> Sat, 19 Jan 2013 08:45:59 GMT https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089374#M392567 mrskater99 2013-01-19T08:45:59Z https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089375#M392569 <HTML><HEAD></HEAD><BODY><P>Excellent, thanks for the update.</P></BODY></HTML> Sat, 19 Jan 2013 08:49:44 GMT https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089375#M392569 Jennifer Halim 2013-01-19T08:49:44Z https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089376#M392572 <HTML><HEAD></HEAD><BODY><P>Sorry Jennifer - that allows connections into 192.168.1.252 from the internet - but .252 has now lost access to the internet (ie the dynamic NAT for the internal Network).</P><P></P><P>Is there a way to achieve both?</P></BODY></HTML> Sat, 19 Jan 2013 08:52:27 GMT https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089376#M392572 mrskater99 2013-01-19T08:52:27Z https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089377#M392576 <HTML><HEAD></HEAD><BODY><P>Ok so i got this working by doing the following to narrow down the NAT exemption to only be the traffic on 5555:</P><P></P><P><STRONG>nat (inside,outside) source static xbmc-lounge xbmc-lounge service xxx-custom-out xxx-custom-out</STRONG></P><P></P><P>where xxx-custom-out is src 5555 dest any</P><P></P><P>Is this the correct way of doing this though???</P></BODY></HTML> Sat, 19 Jan 2013 11:00:26 GMT https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089377#M392576 mrskater99 2013-01-19T11:00:26Z https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089378#M392580 <HTML><HEAD></HEAD><BODY><P>Yes, that is the correct way to do it. Spot on..</P></BODY></HTML> Sat, 19 Jan 2013 14:01:56 GMT https://community.cisco.com/t5/network-security/basic-asa-question/m-p/2089378#M392580 Jennifer Halim 2013-01-19T14:01:56Z