Asymmetric NAT rules matched for forward and reverse flows

I was configuring a basic VPN configuration on my home Cisco ASA firewall so I could monitor a few things locally on my network while I was out with my iPhone. Being a Friday near the end of the work day, I was working fast and skipped a very important detail – NAT Exemption. I never added the required statement on my firewall. What that statement was, I’ll get to in a minute. That all being said, I received a new error in my syslog on the firewall:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows;
Connection for icmp src outside:X.X.X.X dst inside:X.X.X.X (type 8, code 0)
denied due to NAT reverse path failure

I hadn’t seen that error yet to date. I checked the config and realized what I missed and it made me laugh that I skipped such a thing. When my VPN was connected on my phone, I had a local address as a VPN user that was assigned by a specified pool. Therefore on the way IN to my network, there was no NAT being translated. With the way my firewall was configured, any outbound traffic was NAT’ed as my interface address, unless it matched another rule that I had setup. Since I missed the NAT exemption for this VPN configuration, the return traffic was translated to my interface address instead of keeping the local IP that it should have. When that happened, I was unable to load any internal resources on my network.

So what did I exactly do to fix this one you might be asking. I simply made a new NAT statement that said when the source was an internal network resource and it was accessing another internal network resource, all addressing would remain in its original state with no translation. In my Cisco ASA 5505 running 9.1.(6) it looked a bit like this:

Nat Exempt Example
Nat Exempt Example on a Cisco ASA 5505

The moment I hit Apply, all network resources were accessible over the VPN. The main thing to remember if you ever get that error is you need to check all NAT translations that you might have and ensure that the source and destination devices are utilizing the same IP information in both directions. If a NAT statement is off and these don’t match, the traffic will not work.

 

 

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail
Kevin Blackburn

Kevin Blackburn

Cisco CCNP, Senior Network Engineer in the Healthcare Industry. Currently working on my CCIE R&S which is the focus of most of my latest blog posts. #NFD15 Delegate.

7 thoughts on “Asymmetric NAT rules matched for forward and reverse flows

  • March 1, 2017 at 5:00 pm
    Permalink

    That did the trick, thank you!

    Went from 8.2 to 9.1 and VPN was not working.

    Reply
    • kevin
      March 5, 2017 at 12:28 am
      Permalink

      Awesome, glad it worked!

      Reply
      • May 11, 2017 at 10:28 pm
        Permalink

        Same as Joe. Was migrating from firewalls using pre-8.3 code to firewalls on the latest, and apparently the new code doesn’t suffice with just ye olde NONAT ACL

        Thanks for posting your efforts.

        Reply
  • May 18, 2017 at 2:35 pm
    Permalink

    I’m having the same issue, remote access vpn can ping servers but not the inside of the ASA and thus its not getting the route to another server that is on separate subnet. The VPN pool for the VPN is on the same sub net of the LAN but outside of the DHCP scope. I have been fiddling with ACLs, NAT, etc and nothing works here. My problem is also that this is in production with an active L2L Ipsec VPN connection that I cannot disturb. Thoughts?

    Error in log:
    Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.2.28.200(LOCAL\vpnuser1) dst inside:10.45.2.49 (type 8, code 0) denied due to NAT reverse path failure

    Reply
    • Kevin Blackburn
      May 18, 2017 at 3:22 pm
      Permalink

      Definitely NAT rule issue, but can you send the present rules you have configured for those two subnets shown in your error message to talk to each other? Thats where the issue lies Id be willing to bet.

      Reply
      • May 18, 2017 at 4:29 pm
        Permalink

        Thanks! Yeah I had to make a new no nat rule from the VPN pool to that specific IP (after making a network object for it) and that did the trick. Thanks!

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *