04-12-2017 02:53 AM - edited 03-12-2019 02:12 AM
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dst_address/dst_port [(idfw_user)] denied due to NAT reverse path failure.
04-12-2017 03:43 AM
From what I can see on the screen shot, your NAT rule is referncing "any,outside" while the server resides in the DMZ.
The NAT rule would normally created referencing "dmz,outside".
04-12-2017 06:36 AM
Thank you for the quick reply, unfortunately this did not work.
I have changed the server from being in the DMZ to Inside to no joy, whilst leaving the NAT rules as they were.
Also changed the NAT rules to dmz public to outside - with no joy, please see attached png
04-12-2017 06:10 PM
Hi,
Could you please share a show run access-list of the acl that is placed in the outside and a show run nat?
Best regards,
04-13-2017 01:02 AM
access-list Inside-Access-In extended permit ip object WAPAY01_Payrol_Server any log
access-list Outside-R1-In extended permit object-group DM_INLINE_SERVICE_6 any object WAPAY01_Payrol_Server log
access-list DMZ-Public-In extended permit object-group DM_INLINE_SERVICE_3 object WAPAY01_Payrol_Server any log inactive (this is not in use)
NAT
object network WAPAY01_Payrol_Server 
 nat (Inside,Outside-R1) static 82.*.*.*  ( I have taken out the public IP address)
Hope this helps, also please see screenshot
04-14-2017 12:32 AM
Is your WAPAY01 server on the inside or DMZ subnet? You mention both at various points. Is it multi-homed?
04-18-2017 12:54 AM
It is only on the inside interface. No longer sitting within the DMZ subnet
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide