Asymmetric NAT rules matched for forward and reverse flows


I was configuring a basic VPN configuration on my home Cisco ASA firewall so I could monitor a few things locally on my network while I was out with my iPhone. Being a Friday near the end of the work day, I was working fast and skipped a very important detail – NAT Exemption. I never added the required statement on my firewall. What that statement was, I’ll get to in a minute. That all being said, I received a new error in my syslog on the firewall:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows;
Connection for icmp src outside:X.X.X.X dst inside:X.X.X.X (type 8, code 0)
denied due to NAT reverse path failure

I hadn’t seen that error yet to date. I checked the config and realized what I missed and it made me laugh that I skipped such a thing. When my VPN was connected on my phone, I had a local address as a VPN user that was assigned by a specified pool. Therefore on the way IN to my network, there was no NAT being translated. With the way my firewall was configured, any outbound traffic was NAT’ed as my interface address, unless it matched another rule that I had setup. Since I missed the NAT exemption for this VPN configuration, the return traffic was translated to my interface address instead of keeping the local IP that it should have. When that happened, I was unable to load any internal resources on my network.

So what did I exactly do to fix this one you might be asking. I simply made a new NAT statement that said when the source was an internal network resource and it was accessing another internal network resource, all addressing would remain in its original state with no translation. In my Cisco ASA 5505 running 9.1.(6) it looked a bit like this:

Nat Exempt Example
Nat Exempt Example on a Cisco ASA 5505

The moment I hit Apply, all network resources were accessible over the VPN. The main thing to remember if you ever get that error is you need to check all NAT translations that you might have and ensure that the source and destination devices are utilizing the same IP information in both directions. If a NAT statement is off and these don’t match, the traffic will not work.




  1. I’m having the same issue, remote access vpn can ping servers but not the inside of the ASA and thus its not getting the route to another server that is on separate subnet. The VPN pool for the VPN is on the same sub net of the LAN but outside of the DHCP scope. I have been fiddling with ACLs, NAT, etc and nothing works here. My problem is also that this is in production with an active L2L Ipsec VPN connection that I cannot disturb. Thoughts?

    Error in log:
    Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:\vpnuser1) dst inside: (type 8, code 0) denied due to NAT reverse path failure

  2. Great Blog. Had the same issue and after a couple of days searching this was my solution.

    “Network Object” NAT
    (ANY) to (outside) source dynamic obj_any interface –> Not Working, Give me Asymmetric NAT…
    (inside) to (outside) source dynamic obj_any interface –> Solution.

  3. Having a similar issue, logging error is below:
    “Assymmetric NAT rules matched for forward and reverse flows; Connection for tcp src OSRP: dst BEON: denied due to NAT reverse path failure”

    NAT config below where “net-LAP-NAT” = and “net-Outside-NAT” =
    “nat (BeOn,OSRP) source static net-LAP-NAT net-Outside-NAT”

    Any and all help is greatly appreciated.


  4. Kevin, You’re the man. I had everything configured except this piece. Was banging my head against the wall. Not being a full time network guy and wearing many IT hats these setups can be confusing. Thanks for posting.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.