Tag Archives: asa

ASA 8.3+ Asymmetric NAT rules matched for forward and reverse flows

For site-to-site (L2L) VPN connections, you may see the following error message on 8.3(2) and later configurations:

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src Outside:x.x.x.x/3214 dst inside:y.y.y.y/80 denied due to NAT reverse path failure

This is due to the unidirectional keyword setup on your NAT configuration that was migrated incorrectly. If you upgraded from 8.2 code directly to 8.3(2) and did not go to 8.3(1) first, the NAT migrations will tag a unidirectional keyword on all the NAT rules which will essentially only allow one-way traffic initiated only from the source side.

Your configuration will look something like this:

nat (inside,any) source static obj-x.x.x.x obj-x.x.x.x destination static obj-y.y.y.y obj-y.y.y.y unidirectional

Simply remove the unidirectional keyword to make your configuration look like the following and you will be good to go.

nat (inside,any) source static obj-x.x.x.x obj-x.x.x.x destination static obj-y.y.y.y obj-y.y.y.y