Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1815
Views
0
Helpful
1
Replies

denied due to NAT reverse path failure - Asymmetric

Mohamed Hamid
Level 1
Level 1

‎07-05-2012 02:18 AM - edited ‎03-11-2019 04:26 PM

Hi Guys

I am trying to lock down the VPN access on my Cisco 5520 ASA's whereby I wish not to allow users to SSH access etc on servers running on the same interface that they are VPNing into.

I did not originally configure the ASA and so I am slightly confused by some config on it. Currently when I attempt to PING a server within the same interface as the VPN network I get the following error in the logs below.

5    Jul 05 2012    09:45:15    305013    monitoringsystem                Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src dmzAHdata:VPN IP dst AHdata:monitoringsystem (type 8, code 0) denied due to NAT reverse path failure

As a workaround I created a NAT exempt rule which then allowed traffic to the server in question however I wish to limit the traffic to only ICMP and when I do this in the firewall it does not take affect. Is this because of the NAT exempt rule?

Any help is much appreciated

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-05-2012 07:55 AM

What have you configured to limit the traffic to only ICMP? Did you configure VPN Filter acl and assign it to the VPN Client group policy?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card