Since we upgraded our ASA from 8.3 to 8.4(4), VPN users cannot access resources. This worked fine until the appliances were upgraded. We get the message:

5|Nov 08 2012|14:56:33|305013|222.216.126.7|3389|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.58.1.3/10134(LOCAL\pttest) dst XXX_INT:222.216.126.7/3389 denied due to NAT reverse path failure

5|Nov 08 2012|14:56:21|305013|222.216.126.7|3389|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.58.1.3/10134(LOCAL\pttest) dst XXX_INT:222.216.126.7/3389 denied due to NAT reverse path failure

5|Nov 08 2012|14:56:15|305013|222.216.126.7|3389|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.58.1.3/10134(LOCAL\pttest) dst XXX_INT:222.216.126.7/3389 denied due to NAT reverse path failure

5|Nov 08 2012|14:56:12|305013|222.216.126.7|3389|||Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.58.1.3/10134(LOCAL\pttest) dst XXX_INT:222.216.126.7/3389 denied due to NAT reverse path failure

I know this is a NAT problem and our NAT rules are as follows, can anyone suggest a fix (Note I have changed IPs and names for security):

nat (XXX_INT,outside) source static obj-10.110.3.0 obj-10.110.3.0 destination static obj-192.168.57.0 obj-192.168.57.0 no-proxy-arp route-lookup
nat (XXX_INT,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.1.0.0 obj-10.1.0.0 no-proxy-arp route-lookup
nat (EMBC-INT,outside) source static obj-10.60.0.0 obj-10.60.0.0 destination static obj-10.58.1.0 obj-10.58.1.0 no-proxy-arp route-lookup description NAT exemption for AnyConnect connections to Schools Servers
nat (XXX_INT,outside) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.58.1.0 obj-10.58.1.0 no-proxy-arp route-lookup
nat (XXX_INT,outside) source static obj-10.58.1.0 obj-10.58.1.0 destination static Public_DMZ Public_DMZ no-proxy-arp route-lookup
nat (XXX_INT,XXX_INT) source static obj-10.58.1.0 obj-10.58.1.0 destination static Public_DMZ Public_DMZ no-proxy-arp route-lookup
nat (XXX_INT,XXX_INT) source static Public_DMZ Public_DMZ destination static obj-10.58.1.0 obj-10.58.1.0 no-proxy-arp route-lookup
nat (XXX_INT,EMBC-EXT) source static obj-10.110.3.0 obj-10.110.3.0 destination static obj-192.168.57.0 obj-192.168.57.0 no-proxy-arp route-lookup
nat (XXX_INT,EMBC-EXT) source static obj-10.58.1.0 obj-10.58.1.0 destination static Public_DMZ Public_DMZ no-proxy-arp route-lookup
nat (XXX_INT,EMBC-EXT) source static Public_DMZ Public_DMZ destination static obj-10.58.1.0 obj-10.58.1.0 no-proxy-arp route-lookup
nat (XXX_INT,bogus) source static obj-10.110.3.0 obj-10.110.3.0 destination static obj-192.168.57.0 obj-192.168.57.0 no-proxy-arp route-lookup
nat (XXX_INT,bogus) source static Public_DMZ Public_DMZ destination static obj-10.58.1.0 obj-10.58.1.0 no-proxy-arp route-lookup
nat (XXX_INT,outside) source static Supplies NAT-County-Supplies-Server destination static Iris_Networks Iris_Networks
nat (XXX_INT,outside) source static obj-10.110.3.244 NAT-ASA-Internal destination static obj-192.168.57.0 obj-192.168.57.0
nat (XXX_INT,outside) source static L2L-IPSEC-LOGICA-LOCAL L2L-IPSEC-LOGICA-LOCAL destination static L2L-IPSEC-LOGICA-REMOTE L2L-IPSEC-LOGICA-REMOTE no-proxy-arp route-lookup
nat (XXX_INT,outside) source static Supplies NAT-County-Supplies-Server destination static obj-192.168.57.0 obj-192.168.57.0
nat (EMBC-INT,outside) source static NETWORK_OBJ_10.60.0.115 NETWORK_OBJ_10.60.0.115 destination static NETWORK_OBJ_172.18.143.0_28 NETWORK_OBJ_172.18.143.0_28 no-proxy-arp route-lookup
nat (XXX_INT,outside) source static AP22-0029 Chipside_NAT_AP22 destination static Chipside_Payment_Processing Chipside_Payment_Processing
nat (outside,outside) source dynamic obj-10.58.1.0 interface destination static Extranet-DMZ Extranet-DMZ description NAT connections to Extranet VPN servers behind the ASA's Extranet DMZ interface
nat (outside,outside) source dynamic L2L-IPSEC-LOGICA-REMOTE interface destination static Extranet-DMZ Extranet-DMZ description NAT connections to Extranet VPN servers behind the ASA's Extranet DMZ interface
nat (XXX_INT,XXX_INT) source static obj-10.110.3.0 obj-10.110.3.0 destination static obj-192.168.57.0 obj-192.168.57.0
nat (XXX_INT,XXX_INT) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.1.0.0 obj-10.1.0.0
nat (XXX_INT,XXX_INT) source static obj-10.0.0.0 obj-10.0.0.0 destination static obj-10.58.1.0 obj-10.58.1.0
!
object network obj_any
nat (EMBC-INT,outside) dynamic obj-0.0.0.0
object network obj_any-01
nat (EMBC-INT,EMBC-EXT) dynamic obj-0.0.0.0
object network obj_any-02
nat (EMBC-INT,bogus) dynamic obj-0.0.0.0
object network obj_any-03
nat (XXX_INT,outside) dynamic obj-0.0.0.0
object network obj_any-04
nat (XXX_INT,EMBC-EXT) dynamic obj-0.0.0.0
object network obj_any-05
nat (XXX_INT,bogus) dynamic obj-0.0.0.0
object network obj_any-06
nat (bogus,outside) dynamic obj-0.0.0.0
object network obj_any-07
nat (bogus,EMBC-EXT) dynamic obj-0.0.0.0