VPN Client To ASA 5505 then back out through tunnel to other ASA 5505

Unanswered Question
May 3rd, 2012

Remote Site Setup.png

I'm having some issues trying to get the Site 3: VPN Client to be able to ping to the Site 2: Server.  I have Just built the tunnel from Site1 to Site 2 and now have traffic flowing great from Site 1 to Site 2.  Site 3 clients can get to Site 1 clients with no issues at all.  But Site 3 clients can NOT get to Site 2 clients at all.

I'm guessing it has something to do with coming in on the outside (int 0) and then going back out the outside (int 0) interface.  I have enabled/used the following lines but I still can not get it to work.

1) same-security-traffic permit intra-interface (on the Site 1 ASA only)

2) I have my NAT exempt rules in places for both Site 1 and Site 2.  Site 2 is using IOS 8.2(1) and Site 1 is using the newer IOS 8.4(2).  So the Site 1 ASA is using the route-lookup switch to simulate the EXEMPT.

Any ideas why it would not be working for me?

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Dan-Ciprian Cicioiu Thu, 05/03/2012 - 11:08

Hi Arvo,

Shouldnt you do nat exempt also for Site3 - Site2  on both ASAs Site 1 and Site 2 ?

As I see it in order for packet from Site3 to go on the IPsec tunnel between Site1 and Site2 , the source site3 - that I suppose that connects to Site 1 - should not be nated going to Site2 and back.

Does this make sense - or you already made that on point 2 ?


arvo.bowen Thu, 05/03/2012 - 11:33


So I should have 2 NAT EXEMPT rules on Site 1's ASA and 1 NAT EXEMPT rule on Site 2's ASA?

Dan-Ciprian Cicioiu Thu, 05/03/2012 - 11:37

Hi Arvo,

As I see it on

     site 1 you should have 2 nat exempts :

               source destination

               source destination
     site 2 you should exempt the same traffic from nat but the other way around :

               source destination

               source destination

And also the IPSEC traffic should match this traffic also


arvo.bowen Thu, 05/03/2012 - 11:57


Just to stay on a single issue all I care about is getting from the Site 3:VPN Client to Site 2: Server ...  In saying that We can ignore all the rules as they do not apply to the Site 2: Subnet or the Site 3: Subnet.

So just dealing with the subnet (VPN Clients) and the subnet (Site 2) I should only need 1 EXEMPT NAT for each ASA right?  Or am I wrong? 

arvo.bowen Thu, 05/03/2012 - 13:02

OK so this is what I currently have on Site 1's ASA...

object network LAN-INSIDE


description local area network

object network LAN-FULTON


description Fulton's Network

nat (inside,outside) source static LAN-INSIDE LAN-INSIDE destination static LAN-FULTON LAN-FULTON route-lookup description Exempt NAT rule for traffic from the inside network to the Fulton network

Then on Site 2's ASA...

access-list inside_nat0_outbound extended permit ip

nat (inside) 0 access-list inside_nat0_outbound

Does that look right?

rizwanr74 Fri, 05/04/2012 - 11:44

"But Site 3 clients can NOT get to Site 2 clients at all."

Can you please explain Site3 RA VPN client are being terminated Site1 or Site2 ASA ?  If you answer it is to Site1.

Then you need no-nat for these segments i.e. Site3-RA-VPN client and Site2 on Site1's outside interface, so you understanding is correct, with regards to this issue.

Solution as follows, I assume you are using mask /24 on your networks.

access-list outside_nonat extended permit ip
access-list outside_nonat extended permit ip

nat (outside) 0 outside_nonat

Now, incorporate "" in the tunnel between site1 and site2, i.e. in the crypto ACL.

One site2 please make sure, you have a static route as shown below.

route outside xxx.xxx.xxx.xxx <-default-gateway on Site2 ASA.

Let me know, how this coming along.


Rizwan Rafeek.

Message was edited by: Rizwan Mohamed

arvo.bowen Mon, 05/14/2012 - 12:58

Thanks for the VERY informative responce!  Below are some config entries that I have made still yeilding no results...

To answer your first question, Yes the VPN clients connect to the Site 1: ASA and once connected should have access to the Site 2: ASA LAN.  Second clearification is YES to everything is /24 masks.  Please keep in mind below I'm using the ASDM for everything so the names are auto created.

Site 2: ASA Version 8.2(1)

nat (inside) 1 dns
nat (outside) 0 access-list outside_nat0_outbound

route outside 1
route outside 1

access-list outside_nat0_outbound extended permit ip 
access-list outside_nat0_outbound extended permit ip

Does that look right?

rizwanr74 Tue, 05/15/2012 - 09:43

"Does that look right?"

Yes for Site1 and please make sure that you have a static-route exists on Site2 as shown below.

route outside xxx.xxx.xxx.xxx <-default-gateway at Site2 ASA.

You also need the below config copied on the Site2 ASA as well.

nat (outside) 0 access-list outside_nat0_outboundn

access-list outside_nat0_outbound extended permit ip

access-list outside_nat0_outbound extended permit ip

Please be sure to include below networks segment in the crypto ACL for site-to-site vpn between Site1 and Site2.



Look forward to hear from you.


Rizwan Rafeek

Message was edited by: Rizwan Mohamed


This Discussion

Related Content