cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
497
Views
0
Helpful
3
Replies

nat question

christianstp1
Level 1
Level 1

we have ASA running 9.6(1). 

the firewall has an outside interface and an inside interface. 

- we manage the servers that are on the inside interface from terminal servers that are from the outside interface. 

- when I add a nat statement = 
nat (inside,outside) after-auto source dynamic any interface

- I can no longer manage the devices on the inside of the firewall from the outside. 

the logs show as follows:

Oct 06 2016 11:54:21: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:216.x.x.x dst inside:10.x.x.x (type 8, code 0) denied due to NAT reverse path failure

any info would be great. Thanks.

1 Accepted Solution

Accepted Solutions

Pawan Raut
Level 4
Level 4

This issue is because packet getting NAT for internal IPs so you have to configure nonat as below

object-group network Internal-Server

  host  x.x.x.x  (server IPs that are on the inside interface)

!

object-group network Terminal-Server

  host  10.x.x.x  (terminal server IPs that are on the outside interface)

!

nat (inside,outside) 1 source static Internal-Server Internal-Server destination static Terminal-Server Terminal-Server

View solution in original post

3 Replies 3

Pawan Raut
Level 4
Level 4

This issue is because packet getting NAT for internal IPs so you have to configure nonat as below

object-group network Internal-Server

  host  x.x.x.x  (server IPs that are on the inside interface)

!

object-group network Terminal-Server

  host  10.x.x.x  (terminal server IPs that are on the outside interface)

!

nat (inside,outside) 1 source static Internal-Server Internal-Server destination static Terminal-Server Terminal-Server

Thanks that worked.

You are always welcome

Review Cisco Networking for a $25 gift card