I'm working on an ASA 5510 fw running 8.2(5) and I'm having the following problem.
I'm logged into a server behind the firewall and trying to ping the public ip of a website hosted on a different server behind the same firewall. The ping is failing and I'm seeing entries like so:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src inside:192.168.1.122 dst outside:1.1.1.227 (type 8, code 0) denied due to NAT reverse path failure
I am running static nat.
Current nat config:
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 1.1.1.227 192.168.1.120 netmask 255.255.255.255
static (inside,outside) 1.1.1.228 192.168.1.122 netmask 255.255.255.255
static (outside,inside) 192.168.1.120 1.1.1.227 netmask 255.255.255.255
static (outside,inside) 192.168.1.122 1.1.1.228 netmask 255.255.255.255
I am able to ping out to any other website as well browse on the internet from within the server behind the firewall. I'm just not able to reach any website configured on an internal ip which is an ip being nat'ed.
Anyone know what can be wrong? I tried searching a bit online but the solutions mentioned haven't been working.
Please help point me in the right direction.
Thanks
Best Answer
You don't need both inside->outside and outside->inside rules. Just the (inside,outside) rules will do what I think you intend??? (they apply in both directions)
That's hair-pinning. No Cisco device will allow that. For it to work, the packet must leave the ASA (actually be put on a wire) and come back to it, or it won't follow the required NAT logic.