I have this problem. I manage a remote datacenter network from an ASA outside interface.
The same host must be accessed from outside by customers by its natted IP address (200.x.x.1) and, at same time, by staff by its real ip (10.x.x.1) âANDâ by its natted address. Until now no problem, I thought. I created a static nat and a nat exemption this way (10.x.50.0/24 is the staff network):
access-list NO-NAT extended permit ip host 10.x.2.1 10.x.50.0 255.255.255.0
nat (dmz) 0 access-list NO-NAT tcp 0 0 udp 0
static (dmz,outside) 200.x.x.1 10.x.x.1 netmask 255.255.255.255
But this way the machine can be accessed by its natted IP address by anyone, including staff. But it cannot be accessed by its real ip address. ASA 8.2 gives the following error message:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection protocol src xxxx/kk dest yyyy/jj denied due to NAT reverse path failure.
Is there any way to access a host using BOTH natted AND real IP address? Routers don't seem to bother with this.