I have this configuration on my structure

Outside1     93.63.x.x         primary internet connection (WAN)

Outside2    85.33.x.x          backup internet connection if primary down

inside        200.1.1.3          Local network connection (LAN)

DMZ          30.30.30.10      Security zone (mail server and http server location)

when i try to go to my website (www.lamaddalexxxxxxx.xx) from the machine that exit to internet using 200.1.1.3 the firewal make this error

Asymmetric NAT rules matched for forward and reverse flow; Connection protocol src interface_name:source_address/source_port destinterface_name:dest_address/dest_port

denied due NAT reverse path failure.

An attempt to connect to a mapped host using its actual address war reject.

in Detail the error is

Asymmetric NAT rules matched for forward and reverse flows; connection for tcp src inside:(pc_name)/43799 dst DMZ:30.30.30.30/80 denied due to NAT reverse path failure

this is my running-config

: Saved
:
ASA Version 8.2(2)
!
name 200.1.x.x yyyyy

---
dns-guard
!
interface Ethernet0/0
nameif outside1
security-level 0
ip address 93.63.x.x 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 200.1.1.3 255.255.0.0
!
interface Ethernet0/2
nameif DMZ
security-level 0
ip address 30.30.30.10 255.255.255.0
!
interface Ethernet0/3
nameif outside2
security-level 0
ip address 85.33.x.x 255.255.255.248
!
interface Management0/0
nameif management
security-level 90
ip address 10.0.0.1 255.255.255.0
!
regex domainlist1 "\.myspace\.com"
regex Youtube "\.youtube\.com"
regex myspace "\.myspace\.com"
regex facebook "\.facebook\.com"
regex applicationheader "application/.*"
regex contenttype "Content-Type"
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside1
dns domain-lookup inside
dns domain-lookup DMZ
dns domain-lookup outside2
dns domain-lookup management
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network obj-93.63.x.x
object-group network obj_any
object-group network obj_any-01
object-group network obj_any-02
object-group network obj-30.30.30.30-06
object-group network obj-30.30.30.30-07
object-group network obj_any-03
object-group network obj_any-04
object-group network obj_any-05
----
object-group service internet
service-object tcp-udp eq www
service-object tcp eq https
service-object tcp eq pop3
service-object tcp eq smtp
service-object tcp eq 3389
service-object tcp eq 32000
service-object tcp eq imap4
service-object tcp eq 2703
service-object tcp eq domain
service-object tcp eq hostname
service-object tcp-udp eq 995
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service posta tcp
description posta
port-object eq pop3
port-object eq smtp
port-object eq 32000
port-object eq 995
object-group network Admin
---
object-group network Amministrazione
description Pool ip amministrazione
network-object host XXX
----
group-object Admin
-----
object-group service DM_INLINE_SERVICE_1
service-object ip
group-object internet
object-group service DM_INLINE_SERVICE_2
service-object ip
group-object internet
object-group service DM_INLINE_SERVICE_3
service-object ip
group-object internet
object-group service DM_INLINE_SERVICE_4
service-object ip
group-object internet
access-list DMZ_access_in extended permit object-group internet any any inactive
access-list DMZ_access_in extended permit ip host 30.30.30.30 any
access-list DMZ_access_in extended permit ip 200.1.0.0 255.255.0.0 host 30.30.30.30
access-list DMZ_access_in extended permit ip host 30.30.30.20 any
access-list DMZ_access_in extended permit object-group internet 93.63.x.y 255.255.255.248 host 30.30.30.30
access-list inside_mpc extended permit object-group TCPUDP any any eq www inactive
access-list outside1_mpc extended permit object-group TCPUDP any any eq www inactive
access-list inside_mpc_1 extended permit tcp object-group Amministrazione any eq www inactive
access-list inside_nat0_outbound extended permit ip any 200.1.100.96 255.255.255.224
access-list outside1_access_in remark Migration: End of expansion
access-list outside1_access_in extended permit object-group internet any host 93.63.x.x
access-list outside1_access_in remark Migration: End of expansion
access-list outside1_access_in extended permit object-group internet any object-group Amministrazione
access-list inside_access_in remark Migration: End of expansion
access-list inside_access_in extended permit ip object-group Amministrazione any
access-list inside_access_in remark Migration: End of expansion
access-list inside_access_in extended permit object-group internet object-group Amministrazione any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 any host Prestano inactive
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 any 93.63.x.y 255.255.255.248
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 85.33.x.x 255.255.255.248
access-list inside_access_in extended permit object-group internet any host 30.30.30.30
access-list inside_access_in extended permit object-group internet host 30.30.30.30 200.1.0.0 255.255.0.0
access-list inside_access_in extended permit object-group internet object-group Amministrazione host 30.30.30.30
access-list inside_access_in extended permit ip 200.1.0.0 255.255.0.0 200.1.100.96 255.255.255.224
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_4 host Prestano any inactive
access-list outside2_access_in remark Migration: End of expansion
access-list outside2_access_in extended permit object-group internet any host 85.33.x.x
access-list test standard permit 200.1.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside1 1500
mtu inside 1500
mtu DMZ 1500
mtu outside2 1500
mtu management 1500
ip local pool VPNmedark 200.1.100.100-200.1.100.120 mask 255.255.0.0
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside1
asdm image disk0:/asdm-633.bin
no asdm history enable
arp timeout 14400
global (outside1) 101 interface
global (inside) 2 interface
global (DMZ) 1 30.30.30.30-30.30.30.50 netmask 255.0.0.0
global (outside2) 101 interface
nat (inside) 101 200.1.0.0 255.255.0.0
nat (DMZ) 101 30.30.30.20 255.255.255.255
nat (DMZ) 101 30.30.30.30 255.255.255.255
static (DMZ,outside1) tcp interface www 30.30.30.30 www netmask 255.255.255.255
static (DMZ,outside1) tcp interface smtp 30.30.30.30 smtp netmask 255.255.255.255
static (DMZ,outside1) tcp interface pop3 30.30.30.30 pop3 netmask 255.255.255.255
static (DMZ,outside1) tcp interface 32000 30.30.30.30 32000 netmask 255.255.255.255
static (DMZ,outside1) tcp interface imap4 30.30.30.30 imap4 netmask 255.255.255.255
static (DMZ,outside1) tcp interface 3389 30.30.30.30 3389 netmask 255.255.255.255
static (DMZ,outside1) tcp interface sip 30.30.30.30 sip netmask 255.255.255.255
static (inside,DMZ) 200.1.0.0 200.1.0.0 netmask 255.255.0.0
static (DMZ,inside) 93.63.167.220 30.30.30.30 netmask 255.255.255.255
access-group outside1_access_in in interface outside1
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group outside2_access_in in interface outside2
route outside1 0.0.0.0 0.0.0.0 93.63.x.y 1 track 1
route outside2 0.0.0.0 0.0.0.0 85.x.x.x 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.192.168 255.255.255.255 management
http 192.168.192.169 255.255.255.255 management
http Enia 255.255.255.255 inside
http La_Manno 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 85.18.200.200 interface outside1
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map esterna_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map esterna_map interface outside1
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map management_map interface management
crypto ca server
shutdown
smtp from-address admin@ciscoasa.null
crypto isakmp enable outside1
crypto isakmp enable inside
crypto isakmp enable management
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
track 1 rtr 123 reachability
telnet Garrincha 255.255.255.255 inside
telnet timeout 5
ssh Enia 255.255.255.255 inside
ssh timeout 5
console timeout 0
management-access management
priority-queue DMZ
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc webvpn
webvpn
  svc ask enable default webvpn
group-policy Medarchiver internal
group-policy Medarchiver attributes
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test
default-domain none
intercept-dhcp disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
vlan none
nac-settings none
address-pools value VPNmedark
smartcard-removal-disconnect enable
client-firewall none
webvpn
  url-list none
  filter none
  port-forward disable
  http-proxy disable
  sso-server none
  svc dtls enable
  svc mtu 1406
  svc keep-installer installed
  svc keepalive 20
  svc compression none
  svc modules none
  svc ask enable default webvpn
  keep-alive-ignore 4
  http-comp gzip
  user-storage none
  storage-objects value credentials,cookies
  storage-key none
  hidden-shares none
  smart-tunnel disable
  activex-relay enable
  file-entry enable
  file-browsing enable
  url-entry enable
  smart-tunnel auto-signon disable
  svc df-bit-ignore disable
  svc routing-filtering-ignore disable
---
service-type remote-access
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group LaMaddalena type remote-access
tunnel-group LaMaddalena general-attributes
address-pool VPNmedark
tunnel-group LaMaddalena ipsec-attributes
pre-shared-key *****
tunnel-group medarchiver type remote-access
tunnel-group medarchiver general-attributes
address-pool VPNmedark
tunnel-group medarchiver ipsec-attributes
pre-shared-key *****
!
class-map FACEBOOK
match access-list outside1_mpc
class-map type regex match-any DomainBlockList
match regex facebook
match regex myspace
match regex Youtube
class-map rallenta
match access-list inside_mpc_1
class-map DMZ-class
match any
class-map type inspect http match-all BlockDomainClass
match request header host regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all AppHeaderClass
match request header regex contenttype regex applicationheader
class-map httptraffic
match access-list inside_mpc
!
!
policy-map type inspect http http_inspection_policy
parameters
  protocol-violation action drop-connection
match request method connect
  drop-connection log
class AppHeaderClass
  drop-connection log
class BlockDomainClass
  reset log
policy-map type inspect http http_rallenta_siti
parameters
  protocol-violation action drop-connection
class BlockDomainClass
  log
policy-map FACEBOOK
class FACEBOOK
  inspect http http_rallenta_siti
  police input 32000 1500
  police output 32000 1500
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
policy-map inside-policy
class httptraffic
  inspect http http_rallenta_siti
  police input 32000 1500
  police output 32000 1500
class rallenta
  inspect http http_rallenta_siti
  police input 16000 1500
policy-map DMZ-policy
class DMZ-class
  inspect http
  priority
  set connection conn-max 256 per-client-max 50
!
service-policy global_policy global
service-policy FACEBOOK interface outside1
service-policy inside-policy interface inside
service-policy DMZ-policy interface DMZ
prompt hostname context
service call-home
---
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
profile profile0
  no active
---
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group configuration export full
Cryptochecksum:f619d3adf0cfdda948a9f736818c7386
: end