Hoping to find an answer to

scott.bridges · ‎06-24-2015

Hello everyone,

This may be a common problem and I apologize if this is a repeat post. I am getting the following error:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.1.1.9/137(LOCAL\bob) dst outside:10.1.1.255/137 denied due to NAT reverse path failure

10.1.1.0/24 is my VPN subnet that I use for AnyConnect clients coming into my ASA 5505 (9.1(6)4). I believe someone else is explaining the answer in this link. However, I can't get my head wrapped around the syntax for the NAT statement. I know this is broadcast traffic attempting some local area discovery based on the broadcast address.

Am I doing something like this?

object network VPN-Subnet
network 10.1.1.0/24
nat (outside,outside) source static VPN-Subnet VPN-Subnet destination VPN-Subnet VPN-Subnet ??

Looking to see if I'm on the right track, and if possible, attempt to explain this concept.

Thank you!

rizwanr74 · ‎06-24-2015

HI Scott,

Please explain what exactly you want to achieve.

I will compile the script for you.

thanks

scott.bridges · ‎06-24-2015

Hi rizwanr74,

When connected via AnyConnect, my logging is spammed with the above error. I would like to fix this. I believe it is due to a misconfig. While I do not have a lot of VPN-Subnet to VPN-Subnet communication at the moment, my understanding is that if I need to, it will not work.

I would also like to understand the syntax of the fix, assuming it is a NAT statement.

Thank you!

rizwanr74 · ‎07-08-2015

Can you post your config, I will examin it for you.

scott.bridges · ‎07-08-2015

Hoping to find an answer to this.

This logging message is very frequent and fills up the buffer.

Thanks for any advice.

NAT reverse path failure (ASA)