Hello All,
I have a source dynamic NAT rule in place to translate all traffic from INSIDE (sec-lvl 100) to PRIVATE DMZ (sec-lvl 80) with translation to a specific new source IP (not the IF IP):
nat (fw-inside,fw-prv) source dynamic GRP_NAT_INSIDELAN NAT-LAN-NEW-IP1 destination static NET_PRV_DMZ NET_PRV_DMZ description [#R-TRx]
object network NAT-LAN-NEW-IP1
host XX.XX.XX.XX
But all connnection attempts from PRIVATE DMZ to INSIDE are now BLOCKED with message:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src fw-prv:192.168.95.100/4459 dst fw-inside:172.28.100.55/1433 denied due to NAT reverse path failure
My requirement is:
Dyn. PAT/NAT from INSIDE to PRV_DMZ, but NO NAT for sessions from PRV_DMZ to INSIDE. It is easy and straightforward to configure this on a Checkpoint FW-1 system, because the CP FW-1 is not checking the reverse path for NAT. How to achieve the same on a Cisco ASA5585-SSP10 with Ver. 8.4(2)8 installed.
Kind Regards,
HMiku