NAT Issues on ASA 5505

Posted on 2014-08-28
Last Modified: 2014-10-28
I'm having a NAT issue with a ASA 5505 that I set up.  The inside interface is and I have a few devices on the inside.  The outside interface is connecting to our office LAN on  

On the network I can reach outside fine.  From the network when I trying connect in, I receive this error on the firewall:

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside: dst inside: (type 8, code 0) denied due to NAT reverse path failure

This is what I have for a NAT:

Result of the command: "sh run nat"

nat (inside) 10

I know its a NAT issue, I'm just not sure what I need to do or add to allow the traffic inbound.  It would be nice if I had a brief explanation to exactly what is happening also and why the added statement fixes the issue.

Question by:AllDaySentry
    LVL 57

    Expert Comment

    It appears that (outside) is trying to ping (inside).

    I believe the problem is that should be trying to ping's NAT'ed address, not it's real address.

    Can you post your whole, "cleaned", ASA config file.

    Author Comment

    Below is the config.  Basically I am trying to access the inside IP's by the real address and not having to set up a NAT for each one.

    interface Ethernet0/0
     switchport access vlan 2
    interface Ethernet0/1
     switchport access vlan 9
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
     no nameif
     no security-level
     no ip address
    interface Vlan2
     nameif outside
     security-level 0
     ip address dhcp setroute
    interface Vlan9
     nameif inside
     security-level 100
     ip address
    ftp mode passive
    access-list inside_access_in extended permit ip any any
    access-list outside_access_in extended permit ip any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 10
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route inside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication http console LOCAL
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh inside
    ssh timeout 5
    console timeout 0

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny  
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip  
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
     profile CiscoTAC-1
      no active
      destination address http
      destination address email
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    : end
    no asdm history enable
    LVL 57

    Expert Comment

    If I understand your configuration correctly, and how ASA does NAT, the following lines:

    global (outside) 10 interface
    nat (inside) 10

    Says to do a NAT.  What it should be trying to do is anything going from the inside interface to the outside interface should be NAT'ed to the IP address on the outside interface.

    You should be able to try and ping a host from a host the host should see the source IP address as whatever the outside (VLAN2) interface IP address is.

    I used to manage a PIX firewall.  It not ASA exactly and it has been awhile.
    LVL 79

    Accepted Solution

    Nat (inside) 0

    If that doesnt work..
    Access-list nonat permit ip
    Nat (inside) 0 access-list nonat

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now