Solved: ASA firewall denied due to NAT reverse path failure

Ramesh Babu · ‎05-30-2017

Hi All,

On ASA 8.2.5 firewall we are getting logs for "denied due to NAT reverse path failure"

Our configuration,

global (outside) 1 198.2.2.254

global (DMZ1) 1 172.26.10.254

global (DMZ2) 1 198.3.3.250

nat (inside) 0 access-list nonat_1

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ1) 1 0.0.0.0 0.0.0.0

nat (DMZ2) 1 0.0.0.0 0.0.0.0

access-group DMZ1_inbound in interface DMZ1

access-list DMZ1_inbound line 9 extended permit ip 172.26.0.0 255.255.0.0 any log informational interval 300 (hitcnt=65881)

Logs:

May 30 2017 10:13:50 : %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src DMZ1:172.26.22.27/63574 dst inside:10.22.66.236/2144 denied due to NAT reverse path failure

Kindly do the needful.

Thanks & Regards,

Ramesh Babu.A.

Reza Sharifi · ‎05-30-2017

Hi,

Please mark the post as answered, so others can benefit from it.

Thanks,

View solution in original post

Reza Sharifi · ‎05-30-2017

Hi,

Have a look at this post.

https://supportforums.cisco.com/discussion/10807946/denied-due-nat-reverse-path-failure

HTH

Ramesh Babu · ‎05-30-2017

Hi,

We have applied

access-list nonat_1 extended permit ip host 10.22.66.236 host 172.26.201.27

now its normal.

Thanks for your help.

Reza Sharifi · ‎05-30-2017

Hi,

Please mark the post as answered, so others can benefit from it.

Thanks,

Ramesh Babu · ‎06-03-2017

Hi Reza,

Thanks for your help.

Thanks & Regards,

Ramesh Babu.A.

heavendadwal · ‎11-07-2019

Thanks for support. Helpful for me as well.