10-14-2020 08:21 AM
Hi ,
I would like to ask about reverse flows error. I saw the same issue in forum and try to fix. But i don't know how to add NAT Exemption rule or my exemption rule is doesn't work.
my network information :
inside-net=20.1.1.0/24
outside-net=10.1.1.0/24
I use below command for internet access.
nat (inside,outside) dynamic interface
My web server need to access to internal server. So i use NAT exemption rule like below.
nat (inside,outside) source static inside-net outside-net destination static outside-net outside-net no-proxy-arp
But my web servers cannot access to internal server. I always got
Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:xxx.xxx.xxx dst inside:xxx.xxx.xxx.xxx (type 8, code 0) denied due to NAT reverse path failure
Please help me how to fix or my rule is wrong ?
10-14-2020 08:41 AM
It is probably because both rules are in section 1 and the dynamic rule is coming before the NAT exemption rule (they are used in order).
So either reorder the rules or move the dynamic NAT to section 3.
If you are not familiar with the sections etc. then see this doc -
Jon
10-14-2020 10:04 AM - edited 10-14-2020 10:29 AM
Hi @Jon Marshall ,
When i check the configuration. I think they are different section. let me know I am wrong ?
I know that incoming traffic is not NAT and return traffic is NAT traffic. So ASA is blocked that traffic. But i don't know how to fix. let me know how to fix ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide