I was configuring a basic VPN configuration on my home Cisco ASA firewall so I could monitor a few things locally on my network while I was out with my iPhone. Being a Friday near the end of the work day, I was working fast and skipped a very important detail – NAT Exemption. I never added the required statement on my firewall. What that statement was, I’ll get to in a minute. That all being said, I received a new error in my syslog on the firewall:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows;
Connection for icmp src outside:X.X.X.X dst inside:X.X.X.X (type 8, code 0)
denied due to NAT reverse path failure
I hadn’t seen that error yet to date. I checked the config and realized what I missed and it made me laugh that I skipped such a thing. When my VPN was connected on my phone, I had a local address as a VPN user that was assigned by a specified pool. Therefore on the way IN to my network, there was no NAT being translated. With the way my firewall was configured, any outbound traffic was NAT’ed as my interface address, unless it matched another rule that I had setup. Since I missed the NAT exemption for this VPN configuration, the return traffic was translated to my interface address instead of keeping the local IP that it should have. When that happened, I was unable to load any internal resources on my network.
So what did I exactly do to fix this one you might be asking. I simply made a new NAT statement that said when the source was an internal network resource and it was accessing another internal network resource, all addressing would remain in its original state with no translation. In my Cisco ASA 5505 running 9.1.(6) it looked a bit like this:
The moment I hit Apply, all network resources were accessible over the VPN. The main thing to remember if you ever get that error is you need to check all NAT translations that you might have and ensure that the source and destination devices are utilizing the same IP information in both directions. If a NAT statement is off and these don’t match, the traffic will not work.
That did the trick, thank you!
Went from 8.2 to 9.1 and VPN was not working.
Awesome, glad it worked!
Same as Joe. Was migrating from firewalls using pre-8.3 code to firewalls on the latest, and apparently the new code doesn’t suffice with just ye olde NONAT ACL
Thanks for posting your efforts.
I’m having the same issue, remote access vpn can ping servers but not the inside of the ASA and thus its not getting the route to another server that is on separate subnet. The VPN pool for the VPN is on the same sub net of the LAN but outside of the DHCP scope. I have been fiddling with ACLs, NAT, etc and nothing works here. My problem is also that this is in production with an active L2L Ipsec VPN connection that I cannot disturb. Thoughts?
Error in log:
Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.2.28.200(LOCAL\vpnuser1) dst inside:10.45.2.49 (type 8, code 0) denied due to NAT reverse path failure
Definitely NAT rule issue, but can you send the present rules you have configured for those two subnets shown in your error message to talk to each other? Thats where the issue lies Id be willing to bet.
Thanks! Yeah I had to make a new no nat rule from the VPN pool to that specific IP (after making a network object for it) and that did the trick. Thanks!
Awesome. Im glad it worked. Have a good one!
Great Blog. Had the same issue and after a couple of days searching this was my solution.
“Network Object” NAT
(ANY) to (outside) source dynamic obj_any interface –> Not Working, Give me Asymmetric NAT…
(inside) to (outside) source dynamic obj_any interface –> Solution.
Awesome, glad it worked out for you!
Hi Kevin,
Just want to say, well written article, :)
fix my issue with in minutes
Great, glad it helped out!
Having a similar issue, logging error is below:
“Assymmetric NAT rules matched for forward and reverse flows; Connection for tcp src OSRP:10.46.0.154/49465 dst BEON:10.128.0.17/22 denied due to NAT reverse path failure”
NAT config below where “net-LAP-NAT” = 10.128.0.17 and “net-Outside-NAT” = 10.46.0.154
“nat (BeOn,OSRP) source static net-LAP-NAT net-Outside-NAT”
Any and all help is greatly appreciated.
Darby
Kevin, You’re the man. I had everything configured except this piece. Was banging my head against the wall. Not being a full time network guy and wearing many IT hats these setups can be confusing. Thanks for posting.
Awesome, glad it helped!