Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Redirecting and NATting traffic from one VPN-Tunnel to another


I'm currently facing a problem in our environment, of which I'm not sure how to solve.

There are 3 Firewalls: 


"Customer" -----vpn------ "IT"------vpn------ "DC"


There is a VPN tunnel between "Customer" and "IT" that is working. No NAT is used. Access to a DMZ on "IT" is working properly.

Now the customer came with another request: They need a tunnel between "IT" and "DC", so that clients from "Customer"-DMZ can connect to a server "DC"-DMZ, with our "IT"-FW in the middle.

Unfortunately, "DC" has the Subnet already in use, so they gave us a free IP to "PAT" the traffic towards them.

We have already a similar construct in use, which is working, but there is no NAT/PAT in between.


On "IT"-FW the tunnels are both established on the outside interface. 

"same-security-traffic permit intra-interface" command is set.



In this case I get the packets from Customer, but they are not forwarded properly to the DC. According to a packet trace, it is a NAT-Problem.

The NAT command that we use on "IT"-FW is:

nat (outside,outside) source dynamic obj- obj- destination static obj- obj-


obj- -> Client network

obj- -> IP for PAT towards "DC"

obj- -> IP range at "DC", where servers are located



input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed



Any ideas?



Super Bronze

Hi, Any reason why you are



Any reason why you are not configuring the L2L VPN connection directly between the 2 firewall/vpn devices? I understood that you currently have the connections going through 2 L2L VPN connections?


I don't think you are able to use "packet-tracer" to test/simulate a packet incoming from a VPN connection going to another VPN connection.


I would also suggest doing possible NAT configuration closes to the user. So you could do the Dynamic Policy PAT on Customer firewall.


The actual NAT configuration seems fine.


Have you checked your Crypto ACLs that they hold the correct subnets/addresses? I guess if you tried with your current setup the Crypto ACLs should hold the following subnets/addresses on the IT firewall


Customer to IT: Real Customer subnet as source and Real DC subnet as the destination

IT to DC: Dynamic Policy PAT IP address as the source and Real DC subnet as the destination (As NAT is applied before any VPN related is matched)


When you test traffic from Customer subnet can you see the Dynamic Policy PAT being applied on the IT firewall? Can you see any packets being encapsulated to the IT -> DC L2L VPN connection?

You can use the following command to show the information


show crypto ipsec sa peer <peer ip>


- Jouni



CreatePlease to create content