Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Site to Site VPN & Nat Traversal

I have setup a site to to site VPN tunnel with another company and they are not using an ASA - I am bit new to this and i have encountered an issue that you gurus would resolve in a minute.

The tunnel is up and working but when the guy at the other ends tries to RDP to a serve on my side he cannot connect

I ran the debug util and saw his IP address and captured the error - see below

type 8 code 0 denied due to nat reverse path failure

I am really not sure how to resolve - any easy help would be great as i am really stuck

Cheers this is my 1st Post !!

Community Member

Re: Site to Site VPN & Nat Traversal

Hi Steve

There are two access lists used in a typical IPsec VPN configuration. One access list is used to exempt traffic that is destined for the VPN tunnel from the NAT process. The other access list defines what traffic to encrypt, be sure that you have configured all of the access lists necessary to complete your IPsec VPN configuration and that those access lists define the correct traffic. Are you able to post the ACL's.

Crypto and no Nat statements.

Regards MJ

Community Member

Re: Site to Site VPN & Nat Traversal

Thanks I done some more digging and get an error

%ASA-3-713042: IKE Initiator unable to find policy: Intf outside, Src:*.*.*

Error Message

%ASA-3-713042: IKE Initiator unable to find policy: Intf interface_number, Src: source_address, Dst: dest_address


This message indicates that the IPsec fast path processed a packet that triggered IKE, but IKE's policy lookup failed. This error could be timing related. The ACLs that triggered IKE might have been deleted before IKE processed the initiation request. This problem will most likely correct itself.

Recommended Action

If the condition persists, check the L2L configuration, paying special attention to the type of ACL associated with crypto maps.

will have to look at it further

CreatePlease to create content