Showing results for 
Search instead for 
Did you mean: 

Server got lost from LAN while allowing Internet connectivity


Hello Team,


Seeking your help with an issue I've been facing deploying a new ASA5555 FW. We have a server behind the LAN interface which is well reachable over Cisco AnnyConnect profile, that server needs also internet connectivity and here is when the issue comes up; after configuring the NAT to allow internet traffic it is no longer reachable over AnyConnect and what I can see in the logs is a kind of asymmetric NAT. 


FW details: 

Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.8(2)151

Hardware: ASA5555, 16384 MB RAM, CPU Lynnfield 2793 MHz, 1 CPU (8 cores)
ASA: 8546 MB RAM, 1 CPU (2 cores)
Internal ATA Compact Flash, 8192MB


The server is directly connected on LAN interface 

OSLO-ASA01# show arp | in
LAN 0015.5db3.a9f7 12


ACL to allow traffic from this server over the Internet (WAN Interface) 

access-list LAN_access_in extended permit ip host any log


NAT to translate source IP to WAN interface IP for Internet traficc 

nat (LAN,WAN) source dynamic interface


As soon as that NAT gets applied the internet is allowed to go over the internet but is lost from the LAN (cisco anyconnect) and I can see below error in the logs


5Feb 19 202109:01:4430501310.47.200.1LOCAL10.47.20.245 Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src WAN:\ dst LAN: (type 8, code 0) denied due to NAT reverse path failure


Does someone know what would be the issue? I need to have this server (and many others to come up) reachable over the Cisco AnyConnect but also able to have Internet traffic


I would be able to provide further config details and logs/debug if needed 


Thanks in advance for your help



2 Accepted Solutions

Accepted Solutions


You probably need a NAT exemption rule betweeen the LAN and RAVPN networks, as the traffic is probably being unintentionally being natted.

View solution in original post