Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco AnyConnect ASA denied due to NAT reverse path failure


I have setup anyconnect on a cisco ASA5520 and I am able to connect fine without any problems, the problem I am having is once connected I am not able to access any of the internal network, I cant even ping the ASA it self or any ip on the internal network.

I receive the below error

Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside: dst inside: denied due to NAT reverse path failure

Any hep will be greatly appricated.

I have pasted the running config below

ciscoasa# sh run

: Saved


ASA Version 8.2(5)


hostname ciscoasa


enable password k1fr encrypted

passwd 2YOU encrypted



interface GigabitEthernet0/0

nameif outside

security-level 0

pppoe client vpdn group II_Internet

ip address pppoe setroute


interface GigabitEthernet0/1


no nameif

no security-level

no ip address


interface GigabitEthernet0/2


no nameif

no security-level

no ip address


interface GigabitEthernet0/3

nameif inside

security-level 100

ip address


interface Management0/0


no nameif

no security-level

no ip address


boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone EST 10

clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00

dns domain-lookup inside

dns server-group DefaultDNS




object-group network Exchange_Server

access-list OUTSIDE-IN remark Allow SMTP

access-list OUTSIDE-IN extended permit tcp any host eq smtp

access-list OUTSIDE-IN remark ALLOW HTTPS

access-list OUTSIDE-IN extended permit tcp any host eq https

access-list no_nat extended permit ip

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool SSLClientPool mask

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list no_nat

nat (inside) 101

static (inside,outside) tcp smtp smtp netmask

static (inside,outside) tcp https https netmask

access-group OUTSIDE-IN in interface outside

route inside 1

route inside 1

route inside 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable 2456

http inside

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal


keypair sslvpnkey

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

crl configure

crypto ca certificate map DefaultCertificateMap 10

crypto ca certificate chain ASDM_TrustPoint0

certificate 081f7ea439d550

    3082057b 30820463 a0030201 02020708 1f7ea439 d550300d 06092a86 4886f70d

    01050507 01010474 30723024 06082b06 01050507 30018618 68747470 3a2f2f6f

    6373702e 676f6461 6464792e 636f6d2f 304a0608 2b060105 05073002 863e6874

    c344fe27 6e5daeac ca444182 0132cb7e 005b3b2c 99d558d4 90a3120e 02bd8139

    243878fc cf70f691 e3758245 4175a002 f03729b5 5af2db11 221381a9 9f1fddee

    8c879f26 e048639d 262d1c80 537920d0 e0427db4 81a698fc afdd256a 64070b2b

    d16e8995 23731426 b0b76042 b29a15cb cb793594 26be7299 a09f2365 4a254fe7

    d6ef1f2e 925bdc8f 7efb32b0 31de198e febdc248 27bbfa36 bb849df1 699f88


crypto ca certificate chain ASDM_TrustPoint1

certificate ca 0301

    308204de 308203c6 a0030201 02020203 01300d06 092a8648 86f70d01 01050500

    3063310b 30090603 55040613 02555331 21301f06 0355040a 13185468 6520476f

    3db71271 f4e8f151 40222849 e01d4b87 a834cc06 a2dd125a d1863664 03356f6f

    776eebf2 8550985e ab0353ad 9123631f 169ccdb9 b205633a e1f4681b 17053595 53ee


telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

vpdn group II_Internet request dialout pppoe

vpdn group II_Internet localname

vpdn group II_Internet ppp authentication chap

vpdn username password *****


tls-proxy maximum-session 750


threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

dynamic-filter updater-client enable

dynamic-filter use-database

ntp server source outside prefer

ssl trust-point ASDM_TrustPoint0 outside


enable outside


svc image disk0:/anyconnect-win-3.1.05152-k9.pkg 1

svc enable

tunnel-group-list enable

certificate-group-map DefaultCertificateMap 10 SSLClient

group-policy SSLCLient internal

group-policy SSLCLient attributes

dns-server value

vpn-tunnel-protocol svc webvpn

default-domain value

address-pools value SSLClientPool

username Peter password 72Cuy5 encrypted

username Peter attributes

service-type remote-access

username Sys-ten password Kd/vu encrypted privilege 15

tunnel-group SSLClient type remote-access

tunnel-group SSLClient general-attributes

default-group-policy SSLCLient

tunnel-group SSLClient webvpn-attributes

group-alias MY_RA enable


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect ip-options


service-policy global_policy global


prompt hostname context

no call-home reporting anonymous


profile CiscoTAC-1

  no active

  destination address http

  destination address email

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily


: end


Everyone's tags (4)
Hall of Fame Super Silver

Cisco AnyConnect ASA denied due to NAT reverse path failure

Your no_nat access-list (access-list no_nat extended permit ip only exempts communications to from your VPN addresses  NAT.

Your example shows you trying to reach an internal DNS server All inside networks need to be included in the no_nat access-list. That would mean, at a minimum, another access-list entry in the access-list like:

access-list no_nat extended permit ip

New Member

Cisco AnyConnect ASA denied due to NAT reverse path failure

Hi Marvin,

I addedd the above access list you suggested but still having the same problem, do you have any other idea what it could be.


CreatePlease to create content