Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.


Unanswered Question
Sep 10th, 2013
User Badges:


I need to allow a VPN CLIENT connected to a LAN behind a site-to-site vpn router to go out and connect to a different VPN server.

The issue is that the Router (configured for vpn site-to-site) intercepts the incomming IPSec messages from the other VPN server and the VPN client cannot connect.

How could I try to solve it?

Thanks a lot


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jeet Kumar Tue, 09/10/2013 - 13:10
User Badges:
  • Cisco Employee,


Could you please try to explain with the help of a network diagram?


Jeet Kumar

juliocarossella Tue, 09/10/2013 - 20:50
User Badges:

Yes, thank you for your response.

Here is the layout. There is a site-to-site VPN established and working fine between Site A and Site B.

It is necessary to access a third party network in site C by using a Cisco VPN Client, which is connected to LAN in site A, behind the gateway- router, as indicated.

VPN Client PC sends the initial request to router in Site C, but the response is intercepted by router in Site A, and it never reaches the Client VPN. I assume that the router tries to look for a SA, but as it doesn´t find any, discards the packet. How can I configure the router to permit this packet to go through the router (NAT) and to reach the internal PC?

Thanks again.

Karsten Iwen Tue, 09/10/2013 - 23:33
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

You need to use a different IP for your user-sessions then you use for your L2L-sessions. If you don't have multiple IPs you have to change the VPN-technologie. For the client-connection that could be Anyconnect-SSL or for example IPSec over TCP if you have to use the legacy VPN-client.

Sent from Cisco Technical Support iPad App

juliocarossella Wed, 09/11/2013 - 17:44
User Badges:

Thank you for your answer.

If you are so kind I´ll need some futher reference to some links explaining the alternatives: for instance, I cannot figure how two different IP addresses could help. May be I guess somewhat about running IPSec over TCP, and I am looking if we could make the Site C organization is able to configure this way for us.

Thanks a lot and I´ll appreciate further references.



juliocarossella Wed, 09/18/2013 - 05:42
User Badges:

Hi Jeet:

I already posted the diagram. Any input? I´ll appreciate it

This forum doesn´t seem to be a meteoric, up and doing forum ...


jlmickens Mon, 12/09/2013 - 13:23
User Badges:

A bit late to the party, but if you haven't resolved your issue, the problem is most likely your NAT.  If you're overloading all outbound traffic to the same IP address that your site-to-site traffic is built to, then your router is going to think that the IPSEC traffic is coming to it, not to your inside client.  You will need to NAT your traffic to a different IP address.  I would give the client machine a different static NAT to get around this - or change your overload NAT so that it's a different IP than your VPN.

Example.  If all your site A traffic is using and your VPN tunnels are also built to, then change one of them to, or give your one workstation a static NAT of so that the router can differentiate.


This Discussion

Related Content