But all connnection attempts from PRIVATE DMZ to INSIDE are now BLOCKED with message:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src fw-prv:192.168.95.100/4459 dst fw-inside:172.28.100.55/1433 denied due to NAT reverse path failure
My requirement is:
Dyn. PAT/NAT from INSIDE to PRV_DMZ, but NO NAT for sessions from PRV_DMZ to INSIDE. It is easy and straightforward to configure this on a Checkpoint FW-1 system, because the CP FW-1 is not checking the reverse path for NAT. How to achieve the same on a Cisco ASA5585-SSP10 with Ver. 8.4(2)8 installed.
[ASA8858 with 8.4(2)] asym. NAT rule; conflict with dyn. PAT; pr
Seems like there is another NAT in between that is causing this error message. It would be nice if we could have the configuration but Im going to tell you what we look normally on this cases.
Existing NAT rules that could be created on the DMZ interface. Existing NAT rules that can be on the Inside. I am almost sure that there is another NAT that could be breaking things, meaning the packet does not get translated on the DMZ, but when it answers back to the inside, it hits a nat rule.
Check for rules that may have any any. You can easily check this by doing a packet tracer and see which NAT rules would it hit.
packet-tracer input inside tcp 1025 80
Where x is the IP address of the inside host and y is the address of the DMZ host.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...