Solved: nat question

christianstp1 · ‎10-06-2016

we have ASA running 9.6(1).

the firewall has an outside interface and an inside interface.

- we manage the servers that are on the inside interface from terminal servers that are from the outside interface.

- when I add a nat statement =
nat (inside,outside) after-auto source dynamic any interface

- I can no longer manage the devices on the inside of the firewall from the outside.

the logs show as follows:

Oct 06 2016 11:54:21: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:216.x.x.x dst inside:10.x.x.x (type 8, code 0) denied due to NAT reverse path failure

any info would be great. Thanks.

Pawan Raut · ‎10-06-2016

This issue is because packet getting NAT for internal IPs so you have to configure nonat as below

object-group network Internal-Server

host x.x.x.x (server IPs that are on the inside interface)

!

object-group network Terminal-Server

host 10.x.x.x (terminal server IPs that are on the outside interface)

!

nat (inside,outside) 1 source static Internal-Server Internal-Server destination static Terminal-Server Terminal-Server

View solution in original post

Pawan Raut · ‎10-06-2016