Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Port Forward


I have a issue where I need to port forward a port from the outside to a host on the inside. The outside interface is a priviate (RFC1918), which is NAT'd to an upstream firewall. The problem is rpf-check DROP and %ASA-5-305013:

Topology:  Internet--> Provider running nat --> Outside: --> Inside: - Provider is translating to a public IP address


interface Ethernet0/0

description Outside WAN

nameif outside

security-level 0

ip address


interface Ethernet0/2

description Inside

nameif inside

security-level 100

ip address


route outside


object network User-1



object network 80-server


nat (inside,outside) static interface service tcp 80 80


nat (inside,outside) after-auto source dynamic User-1 interface


access-list Outside-In extended permit tcp any object User-1 eq 80


access-list Inside extended permit tcp any any


access-group Outside-In in interface outside

access-group Inside in interface inside


%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:x.x.x.x/80 dst inside: denied due to NAT reverse path failure

Packet Trace:

Phase: 11

Type: NAT

Subtype: rpf-check

Result: DROP


object network 80-server

nat (inside,outside) static interface service tcp 80 80

Additional Information:

Forward Flow based lookup yields rule:

out id=0xad6f5890, priority=6, domain=nat-reverse, deny=false

        hits=410, user_data=0xb1662d28, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

        src ip/id=, mask=, port=0, tag=0

        dst ip/id=, mask=, port=80, tag=0, dscp=0x0

        input_ifc=outside, output_ifc=inside


input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Any assistance would be appreciated.


Everyone's tags (4)
Super Bronze

ASA Port Forward


Typically the result would be caused if your "packet-tracer" command targeted the actual local IP address of the server ( rather than the mapped IP address (

This results in the initial direction not matching any NAT rule while the reverse matches the actual Static PAT configuration you were attempting to test with the "packet-tracer" command.

If you are simulating a packet coming from the interface to your server then the correct "packet-tracer" command would be for example

packet-tracer input outside tcp 12345 80

Configuration shown above seems to be correct though.

- Jouni