Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

denied due to NAT reverse path failure - Asymmetric

Hi Guys

I am trying to lock down the VPN access on my Cisco 5520 ASA's whereby I wish not to allow users to SSH access etc on servers running on the same interface that they are VPNing into.

I did not originally configure the ASA and so I am slightly confused by some config on it. Currently when I attempt to PING a server within the same interface as the VPN network I get the following error in the logs below.

5    Jul 05 2012    09:45:15    305013    monitoringsystem                Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src dmzAHdata:VPN IP dst AHdata:monitoringsystem (type 8, code 0) denied due to NAT reverse path failure

As a workaround I created a NAT exempt rule which then allowed traffic to the server in question however I wish to limit the traffic to only ICMP and when I do this in the firewall it does not take affect. Is this because of the NAT exempt rule?

Any help is much appreciated

Everyone's tags (3)
Cisco Employee

denied due to NAT reverse path failure - Asymmetric

What have you configured to limit the traffic to only ICMP? Did you configure VPN Filter acl and assign it to the VPN Client group policy?

CreatePlease to create content