Denied due to NAT reverse path failure

Unanswered Question
Jan 7th, 2010
User Badges:

Hello list,

I was hoping someone could offer any suggestions on how to go about troubleshooting this particular issue further or maybe explain in details what this error message really means?  Please note that this setup has been working all along and there isn't anything special that I believe has been implemented on the ASA to complicate the setup or for that fact break it.

Data path:

The basic scenario includes a Global-to-Local NAT on the ASA FW.  The client initiates a tcp connection to a routable IP which is a one-to-one NAT from the outside-to-inside interfaces.

Here is the running-config:

access-list outside_access_in extended permit ip host
static (inside,outside) netmask


nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip

FW# show xlate detail interface outside debug global

NAT from inside:  to outside: flags s idle 0:19:23 timeout 0:00:00

Capturing traffic on the "outside" interface:

1: 04:45:57.481313 802.1Q vlan#111 P0 > S 4092650306:4092650306(0) win 5840 <mss 1300,sackOK,timestamp 3923221967 0,nop,wscale 8,opt-33:1900145e8450f5070000>
   2: 04:46:00.482122 802.1Q vlan#111 P0 > S 4092650306:4092650306(0) win 5840 <mss 1300,sackOK,timestamp 3923224967 0,nop,wscale 8,opt-33:1900145e8450f5070000>

"show log" indicates:

<165>:Jan 07 21:14:10 UTC: %ASA-session-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside: dst inside: denied due to NAT reverse path failure

Here is the "packet-tracer" output from the FW:

FW#  packet-tracer input outside tcp 1024 30000 detailed

Phase: 9
Subtype: rpf-check
Result: DROP
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x1c4dbb78, priority=6, domain=nat-exempt-reverse, deny=false
    hits=75, user_data=0x1c371e68, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
    src ip=, mask=, port=0
    dst ip=, mask=, port=0, dscp=0x0

input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Kureli Sankar Fri, 01/08/2010 - 05:34
User Badges:
  • Cisco Employee,

I believe you need the following:

access-list inside_nat0_outbound line 1 deny ip host host

Either the above or the host on the outside should talk to the inside host using its private address ( and not the translated address.


If the host, or the parent network, isn't in the NAT exempt allow, it is implicitly denied. Only if the aggregate network is in the exempt, would you explicitly need to deny it serially ahead of the allow.

Sadly, ASA doesn't seem to have a notion of state associated with NATs where assumed SNAT on reverse for a static DNAT forward, overrides exempt on the return.

I'd scream RFE to Cisco, unless the enhancement further breeds sloppiness.

fadlouni Fri, 12/10/2010 - 06:15
User Badges:
  • Bronze, 100 points or more


About statefullness of NAT, this was there in older ASA images, i think somehwere in 8.2 this got broken. but after CSCth72642 NAT is statefullness is fixed.



Maykol Rojas Sat, 01/29/2011 - 21:17
User Badges:
  • Cisco Employee,
  • Participante Destacado,

    Mejor Publicación, Diciembre del 2015


Totally Agree with Sankar, you are hitting one Nat statement (the static) and then in the return, as per the NAT order of operations, it wont use the Existing Xlate, it will use the NAT 0 statement

Try the workaround from Sankar, it will work for your problem.



hibbert.miller Mon, 03/21/2011 - 05:55
User Badges:


I have posted on this thread as I am having the exact same problem, but have not been able to resolve it by following the suggestions provided. I should point out that I have limited experience with this gear, so please bear with me.

I have established a VPN between two ASA 5520 units, one of which has a public IP address on the outside interface and the other is behind a DSL modem that has a public IP on the outside, but has a address on the inside, which gives my second ASA a address on it's outside interface.

The inside networks of each ASA are and Each end can successfully connect to other systems on the Internet, but the issue of using remote desktop on from the inside to the inside is where I am getting the dreaded "Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside: dst inside: denied due to NAT reverse path failure" message. Note that the ASA with the network is fine when connecting to several ASA's with 192.168.X.0 networks on the inside, and it is only this one that is causing issue for me, so I don't think I need to change the configuration on it.

I believe I understand why it is happening based on the explanations provided; when the packets try to go back to the network, my rule that says anything going over the tunnel should be exempt from NAT, so they end up lost in the network between the ASA and the DSL modem. As stated above, I can see that the IPSec tunnel is successfully established, so I really just need to figure out what is happening with the NAT.

Further complicating matters is the fact that I do not have CLI access to the ASA, and must use the ASDM. I have copied the lines that I believe are relevant from the config.

access-list inside_access_in extended permit ip any object
access-list outside_access_in extended permit ip object-group any

access-list outside_1_cryptomap extended permit ip
nat (inside,outside) source static destination static

(Clue? I noticed that the translate/untranslate hits are 0 for this)

Any help gratly appreciated,


Michael Thwaite Tue, 12/02/2014 - 07:57
User Badges:



we came across the same error message of Asymmetric Nat deny rules.


to resolve this I added a new NAT rule in the ASDM GUI, above the default NAT which sends all traffic out on the outbound interface IP. the rule was as shown below.



hope this helps people out.








This Discussion