cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2454
Views
5
Helpful
3
Replies
dedra_live
Beginner

Site-to-Site VPN: Asymmetric NAT rules matched for forward and reverse flows

Hello,
We are currently running site-to-site VPN with another customer. Customer has configured VPN on the router and on our side it is the ASA 8.2(4)
We have exposed a public IP on the ASA which is statically natted to a private internal IP for all 'internet' users. The same private IP needs to be accessed by the customer through VPN (i.e. bypassing the public IP).
However, we get to see the following error on our ASA
: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows;
Connection for tcp src outside-INTERNET:172.1.2.50/28996 dst inside-ASA-IPS1:10.1.2.50/80 denied due to NAT reverse path failure
The connection initiated  by the customer reaches our ASA and gives the above error.
However, the customer is able access the private IP other than 10.1.2.50 (an IP which is not defined against any NAT command on the ASA).
Is there any NAT0 to be defined for inbound traffic i.e. from customer to us or anything else to make it go through.
The traffic from us to customer is working without any problem. The issue is only from customer to us.
Please assist.
Thanks.
3 REPLIES 3
Yudong Wu
Rising star

can you paste all nat/global/static configuration and related ACL if it is used by any NAT?

In general, we use nat 0 to bypass vpn traffic from being nat-ed.

Hello,


- show run nat

nat (inside-ASA) 0 access-list inside-ASA_nat0_outbound
nat (inside-ASA) 1 0.0.0.0 0.0.0.0

- show run global


global (outside) 1 interface


- show run static

static (inside-ASA,outside) tcp 80.224.20.10 https 10.1.2.50 https netmask 255.255.255.255

- Related ACL

access-list inside-ASA-nat0_outbound extended permit ip object-group Server_Pool host 172.1.2.50

Server_Pool members are 10.1.2.11 and 10.1.2.12.

10.1.2.50 is the load balancer virtual IP and 10.1.2.11/12 are servers behind it.

The issue I am facing is on the traffic from 172.1.2.50 to 10.1.2.50

Thanks.

You just need include the traffic from 10.1.2.50 to 172.1.2.50 into nat 0, so what you need to do is to add 10.1.2.50 into object-group Server_Pool