cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
674
Views
5
Helpful
2
Replies

Asymmetric NAT rules matched for forward and reverse flows error

MrBeginner
Spotlight
Spotlight

Hi ,

I would like to ask about reverse flows error. I saw the same issue in forum and try to fix. But i don't know how to add NAT Exemption rule or my exemption rule is doesn't work.

my network information :

 

inside-net=20.1.1.0/24
outside-net=10.1.1.0/24

I use below command for internet access.

nat (inside,outside) dynamic interface

 

My web server need to access to internal server. So i use NAT exemption rule like below.

nat (inside,outside) source static inside-net outside-net destination static outside-net outside-net no-proxy-arp

 

But my web servers cannot access to internal server. I always got 

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:xxx.xxx.xxx dst inside:xxx.xxx.xxx.xxx (type 8, code 0) denied due to NAT reverse path failure

Please help me how to fix or my rule is wrong ?

 

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

 

It is probably because both rules are in section 1 and the dynamic rule is coming before the NAT exemption rule (they are used in order). 

 

So either reorder the rules or move the dynamic NAT to section 3. 

 

If you are not familiar with the sections etc. then see this doc - 

 

https://community.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

 

Jon

 

Hi @Jon Marshall ,

When i check the configuration. I think they are different section. let me know I am wrong ?

I know that incoming traffic is not NAT and return traffic is NAT traffic. So ASA is blocked that traffic. But i don't know how to fix. let me know how to fix ?

NAT.PNG

Review Cisco Networking for a $25 gift card