asymmetric nat?

Unanswered Question
Nov 4th, 2009
User Badges:

Hi All.

I have this problem. I manage a remote datacenter network from an ASA outside interface.

The same host must be accessed from outside by customers by its natted IP address (200.x.x.1) and, at same time, by staff by its real ip (10.x.x.1) “AND” by its natted address. Until now no problem, I thought. I created a static nat and a nat exemption this way (10.x.50.0/24 is the staff network):

access-list NO-NAT extended permit ip host 10.x.2.1 10.x.50.0

nat (dmz) 0 access-list NO-NAT tcp 0 0 udp 0

static (dmz,outside) 200.x.x.1 10.x.x.1 netmask

But this way the machine can be accessed by its natted IP address by anyone, including staff. But it cannot be accessed by its real ip address. ASA 8.2 gives the following error message:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection protocol src xxxx/kk dest yyyy/jj denied due to NAT reverse path failure.

Is there any way to access a host using BOTH natted AND real IP address? Routers don't seem to bother with this.

Paulo Roque

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sdoremus33 Wed, 11/04/2009 - 17:52
User Badges:
  • Bronze, 100 points or more

Is there any way to access a host using BOTH natted AND real IP address

If there is I am also curious if this is possible.

One possible solution is for the host to have 2 IP addresses. One is NATed to and the other is the 'real' IP.

Another solution might be to utilize an access-list with a static NAT. I'm not sure that this would work in your case though.

access-list NAT-acl extended permit ip host 10.x.2.1 10.x.50.0

static (dmz,outside) 10.x.x.1 access-list NAT-acl

static (dmz,outside) 200.x.x.1 10.x.x.1 netmask

Like I said, that may not work though.

pauloroque Sat, 11/07/2009 - 06:29
User Badges:


I tried like you said. But it did not work. The problem is that when I ping the address 200.x.x.1, in the inbound direction the echo-request packet gets translated by the second rule, but the echo-reply in the opposite direction was translated by first rule Again asymmetric NAT.


Paulo Roque


This Discussion